7. Should Companies Reporting A Breach Have Liability Protection?
Smith: We should notify I think a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure that it is put to good use to protect the country, and for that matter, people outside the country. I think we need to decide upon whom that duty should fall. It should certainly fall on those of us in the tech sector who are in the business of providing enterprise and other services. I think it’s not a bad idea to consider some kind of liability protection. It will make people more comfortable with doing this. This is about moving information fast to the right place so it can be put to good use.
Mandia: To me, notification needs to be confidential, or you don’t give organizations the capability to prepare for those liabilities. … I like the idea of confidential threat intelligence sharing to whatever agency has the means to push that out to places. Then disclosures that are legal requirements to inform those who are impacted. And you don’t know that day one. In FireEye’s case, we were sharing intel really fast, and we did not know what we had lost in our breach yet, but we knew there was something different about it. You can get the intel out there quickly if it’s confidential.
Warner: While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene. If you report that, you should not be free of your responsibility if you have been a sloppy player.