However, while mandating disclosure seems like it makes everyone but the victim company happy, that company may still choose to sweep the incident under the carpet and risk the penalty rather than risk the loss of consumer and shareholder trust. Senator Feinstein’s bill has monetary penalties that are capped at $25,000 a day. If the company thinks that breaking the trust of their customers and Wall Street may impact the company by $1 Billion for instance, they could hide knowledge of the incident for 40,000 days before it would make financial sense to go public.
I do not mean to imply that corporations are evil or act with intent to harm consumers, but history shows that corporations will protect shareholder and consumer confidence and their financial bottom line before they will do the right thing. One US automobile manufacturer once determined that it would cost more to recall vehicles and repair a fatal defect than it would to settle the lawsuits from the families of the people killed by the defect. They chose to go with the cheaper (and more secretive) alternative even when lives were at stake.
Applying the same logic here I predict Senator Feinstein’s bill may lead to secretive meetings in boardrooms and confidential memos being sent back and forth to decide what the break-even point is to the bottom line and whether it makes better financial sense to disclose information of an attack or hide information of the attack and hope that it never gets leaked.
Both proposals- exempting companies from the US Freedom of Information Act and Senator Feinstein’s bill- have their advantages. In order to learn from incidents and develop more effective defenses to protect the critical infrastructure it is imperative that companies be willing to share information of attacks. Consumers have a right to know when their personal and confidential information has been compromised and should be notified of such incidents.
Ultimately, you have to show the companies the ROI (Return On Investment) though. Asking them to share the information if you promise to keep it secret or requiring them to share the information under threat of a slap on the financial wrist will not compel companies to cooperate if you can’t show them what is in it for them. What do they get out of such disclosure? The benefits of learning from each other and sharing information to secure the Internet as a whole must be sold in a way that makes sense to the corporations.
One way or another it seems that corporations should start looking at how they handle incidents of this nature. They should have policies and procedures in place that spell out who gets notified within the company, what law enforcement agencies, if any, are notified and what actions are taken to mitigate the attack and protect against future attacks. Security is a hot issue and one way or another it seems that companies may have to start disclosing information of cyber-attacks and security breaches.