Mandatory Data Breach Reporting Appears Dead

A plan by the Obama Administration to set up a framework for exchanging cybersecurity information could be dead—at least as a mandatory requirement.

But that doesn’t mean such an information-sharing framework is off the table. The Washington Post reported April 26 that, while a national plan that would require companies to share cybersecurity information is well and truly finished, the administration still hopes for the appearance of a watered-down plan that would incentivize companies to share that data. Those incentives could include indemnification from shareholder lawsuits, one of the concerns of companies at risk of a security breach.

The concerns, according to the paper, were that private companies would be forced to share non-anonymized information with the government.

However, ForeignPolicy.com believes that a cybersecurity information-sharing bill is very much alive. “I’m pretty confident that if we got to conference we could work a bill out,” said Andrew Grotto, lead staffer on the Senate Intelligence Committee, as reported by the site. Grotto suggested that most interested parties agree that information should be shared privately among companies, and that the focus is cybersecurity, not combatting IP piracy.

If a cybersecurity bill has teeth, it would stem from a Feb. 12 executive order that requires the Secretary of Defense to begin a “voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.”

That process would take place 120 days after the order was issued, or June 12, and would require that the SecDef and the Attorney General, in coordination with the Director of National Intelligence, provide those reports to critical infrastructure entities authorized to receive them.

Directive 20

In related news, the Obama administration last week confirmed Presidential Policy Directive 20, which will create a classified national policy for handling attacks on the country’s national computing infrastructure. Issued by the Obama Administration last year, the directive “establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools we have at our disposal,” according to the declassified summary.

Most companies would probably agree that a reliable source of private collaboration on security issues would be of value. Just how that will be done, however, is something that will still need to be worked out.

 

Image: Maksim Kabakou/Shutterstock.com

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>