Mandatory Data Breach Reporting Appears Dead
A plan by the Obama Administration to set up a framework for exchanging cybersecurity information could be dead—at least as a mandatory requirement. But that doesn’t mean such an information-sharing framework is off the table. The Washington Post reported April 26 that, while a national plan that would require companies to share cybersecurity information is well and truly finished, the administration still hopes for the appearance of a watered-down plan that would incentivize companies to share that data. Those incentives could include indemnification from shareholder lawsuits, one of the concerns of companies at risk of a security breach. The concerns, according to the paper, were that private companies would be forced to share non-anonymized information with the government. However, ForeignPolicy.com believes that a cybersecurity information-sharing bill is very much alive. "I'm pretty confident that if we got to conference we could work a bill out," said Andrew Grotto, lead staffer on the Senate Intelligence Committee, as reported by the site. Grotto suggested that most interested parties agree that information should be shared privately among companies, and that the focus is cybersecurity, not combatting IP piracy. If a cybersecurity bill has teeth, it would stem from a Feb. 12 executive order that requires the Secretary of Defense to begin a "voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.” That process would take place 120 days after the order was issued, or June 12, and would require that the SecDef and the Attorney General, in coordination with the Director of National Intelligence, provide those reports to critical infrastructure entities authorized to receive them.