Government Should Require Businesses to Disclose Breaches, CyberSheath CEO Says

Technology company executives are calling on legislators to require businesses to disclose data breaches but are asking for limited legal liability in return, according to Eric Noonan, chief executive officer of CyberSheath.

Legislation about data breach reporting has been debated for years but only saw serious consideration in the wake of the SolarWinds hack, Noonan, a Potomac Officers Club member, said in a column published by Nextgov.

According to Noonan, data breach reporting was the most intriguing suggestion at the first Senate Intelligence Committee hearing on the SolarWinds attack, which compromised the networks at multiple agencies and more than a hundred American companies.

During the hearing, committee Chairman Mark Warner said providing legal protection for disclosures could lead to “sloppy behavior” among companies.

Noonan said that while granting businesses limited legal liability is a reasonable incentive, companies should also be required to meet minimum cybersecurity standards.

The Department of Defense is already rolling out minimum cybersecurity requirements in defense contracts through the nascent Cybersecurity Maturity Model Certification program.

Other federal agencies, including the Department of Homeland Security and the General Services Administration, have begun including CMMC-like requirements in their contracting process.

Noonan said that if businesses meet a legally-sanctioned minimum cybersecurity standard, the federal government can take advantage of a more robust threat-sharing ecosystem.

He also pointed to DOD’s breach notification model. The Defense Federal Acquisition Regulation Supplement requires contractors to notify the Pentagon of any cybersecurity incidents within 73 hours. Noonan said that DOD breach reporting system can serve as a basis for one at the federal level.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now