Legal Risks Prevent Organizations from Sharing Cyber Threat Information

According to the Cyber Security Task Force: Public-Private Information Sharing report, written by the Homeland Security Project (HSP) at the non-profit Bipartisan Policy Center, companies and government agencies need to share more information to help fight against cyber attacks. In a recently published article written by Elinor Mills, the new report asks Congress to preempt certain state and federal regulations to allow companies to share cybersecurity threats and attacks with government information — without the fear of breaking data breach and other laws.

“From October 2011 through February 2012, over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security (DHS), with 86 of those attacks taking place on critical infrastructure networks,” the report said, citing a New York Times article. According to Mills, only a small number of incidents are reported to the DHS, mainly because companies are fearful about legal consequences.

The report further stated:

“The resolution of numerous legal impediments — some real, some perceived — is asserted by various stakeholders as a predicate to more robust cyber threat information sharing among private sector entities and between the private sector and the government. Perceptions of such impediments have created a collective action problem in which companies hold threat and vulnerability information close, rather than sharing it with each other or the government. Information that should be shared includes, but is not limited to, malware threat signatures, known malicious IP addresses, and immediate cyber attack incident details.”

To resolve this issue, the HSP report suggests offering safe harbors for cybersecurity-related information sharing:

“Congress should preempt state breach notification laws and federal unfair trade practice enforcement actions and streamline notifications under a federal standard. It should also provide a safe harbor for companies when there is no actual risk of consumers having their data misused. This regime would help to encourage sharing with the government by reducing the risk that sharing about incidents would result in violations of data breach and unfair trade practice laws.

The final recommendation of the report is to include all disparate state data breach laws into one national standard and then eliminating punitive lawsuits.

For more information about the Cyber Security Task Force: Public-Private Information Sharing report, visit: