About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 [1] (April 29, 2015)

handle is hein.crs/crsuntaaggx0001 and id is 1 raw text is: Cyb rmicr the la frmation 1914 Cybersecurity and Information Sharing April 29, 2015 This In Focus summarizes the issues related to sharing information about cybersecurity breaches (the theft of information from computer networks) to prevent similar incidents in the future. Legislation has been introduced in the 113th and 114th Congresses to remove what some perceive to be legal obstacles to information sharing. Overview What Is Information Sharing? The discussion of cybersecurity data breach information sharing usually refers to sharing information within an industry or between industry and government about a cyberattack. Sharing data breach information with consumers is usually discussed separately and called data breach notification. What Is Stolen in a Data Breach? Confidential information is usually copied in a data breach and sold or used in ways that adversely impact the rightful owners of the information. This can include credit and debit card information, medical records, personally identifiable information, or an organization's proprietary information. Historically, credit card information has been the most stolen information. How Do Data Breaches Occur? In 2014, according to the Identity Theft Resource Center, hacking was involved in 29% of 783 data breaches analyzed. Other causes were subcontractors and third parties (15%), physical theft (13%), accidental exposure (12%), employee negligence (11%), insider theft (10%), and data moving over a network (8%). Figure I. Techniaues Used in Data Breaches Source: Identity Theft Resource Center, ITRC Breach Statistics 2005-2014, http://www.idtheftcenter.org/images/breach/ MultiYearStatistics.pdf. Costs and Who Bears Them? Merchants that honor stolen credit cards can have charges reversed (a chargeback) and end up without the merchandise or the payment. Credit card issuers say they are not fully reimbursed when they have to replace a compromised credit card. Companies that produce software with security flaws may not bear the cost of the flaws. The result is that those responsible for cybersecurity breaches rarely pay the full cost of those breaches. Use of Shared Information. Sharing information about cyber breaches could help other organizations to implement lessons learned from the breaches. This does not always occur. Recently data breaches have used similar techniques that were disclosed in the media. For example, memory skimming was used in the Target data breach to capture information in the chain's point of sale terminals. Target was not the first company to suffer from this attack method; other companies that have been victimized by the same malware are reported to include Home Depot and three parking services. The biggest question is whether this information sharing proposal will contribute to the stated purpose, namely to better protect information systems and more effectively respond to cybersecurity incidents. -Richard Bejtlich, Chief Security Strategist at FireEye More generally point of sale terminals have reportedly been compromised in various ways at the Mandarin Oriental Hotel Group, Natural Grocers, gas station pumps, White Lodging Services (twice), ATMs, Chick-fil-A, Staples, Bebe, Michaels, and Kmart to list a few. Efficiency Considerations. A lack of information sharing can lead organizations to duplicate each others' work. Sharing information could, in theory, lead to more security at less cost. Perceived Legal Barriers. Firms and industry groups have cited concerns over violating privacy and antitrust laws as a reason that they are reluctant to share information. In an attempt to assuage such fears, the Department of Justice and the Federal Trade Commission have issued a joint statement that properly designed sharing [is] not likely to raise antitrust concerns. Some firms might be concerned about liability for sharing information that includes innocent third parties. Technical Barriers. One issue in sharing information is the technical abilities of those receiving the information to use it. For example, the suggestion to update and run an antivirus program is unlikely to present much of a technical challenge, but check all servers to verify that the default administrator account has been deleted and that each server has a unique password requires more technical skills and probably more effort. www.crs.gov 7-5700

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most