Public-Private Information Sharing

7/31/2019 Public-Private Information Sharing

1/24


2/24

DISCLAIMER

This report is the product o the Bipartisan

Policy Centers Homeland Security Project.

The ndings and recommendations expressed

herein are solely those o the Homeland Security

Project and do not necessarily represent

the views or opinions o the Bipartisan Policy

Center, its ounders or its board o directors.


3/24

Cyber Security Task Force: Public-Private Information Sharing

Cyber Security Task Force 3

Chapter 1: A Time or Action 5

In ormation Sharing Today 6

In ormation Sharing in the Future 7

Protecting Privacy When Sharing In ormation 7

Chapter 2: Mitigating Legal Impedimentsto In ormation Sharing 9

Protect Cyber Threat In ormationProvided to the Government 9

Provide Liability Protection or Cyber Threat In ormationClearinghouses that Gather the In ormation 9

Amend Communications Laws 10Revising Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Sharing with the Government . . . . . . . . . . . . . . . . . . . . . . . 11Cyber Security Emergency . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Enhance Sharing o Threat In ormation WithCritical In rastructure Owners and Operators 13

Chapter 3: Streamlining DataBreach Notifcations 15

State Data Breach Laws 15

Federal Trade Commission (FTC) Authority 15

Administration Proposal 15

Our Proposal 16

Recommendations 17

Endnotes 19

Table of Contents


4/24

National Security ProgramHomeland Security Project


5/24


Marcus SachsVice President, National SecurityPolicy, Verizon Communication

General (ret ) Ron KeysFormer Commander, Air CombatCommand, U.S. Air Force

Benjamin PowellFormer General Counsel o the O ceo the Director o National Intelligence

Je rey RosenPro essor o Law at George WashingtonUniversity

Frances TownsendFormer Homeland Security Advisorand Deputy National Security Advisor

or Combating Terrorism

Cyber Security Task Force

MEMBERSStewart BakerFormer Assistant Secretary or Policy,DHS

Bryan CunninghamFormer Deputy Legal Advisor to theNational Security Advisor

Richard FalkenrathFormer NYPD Deputy Commissioneror Counterterrorism

TASK FORCE DIRECTORRob StrayerDirector, Homeland Security Project

CO-CHAIRSGeneral (ret ) Michael HaydenFormer Director, CIA and NSA

Mortimer B ZuckermanCEO and Chairman o the Board o Directors, Boston Properties, Inc.


6/24



7/24


The attacks on in ormation technology systems rom awide range o adversaries including hacktivists, criminals,and nation-states continue to grow. 1 From October2011 through February 2012, over 50,000 cyber attackson private and government networks were reported to theDepartment o Homeland Security (DHS), with 86 o those

attacks taking place on critical in rastructure networks. 2 The incidents reported to DHS represent only a smallraction o cyber attacks carried out in the United States.The nancial losses resulting rom the the t o intellectualproperty and other sensitive in ormation continue toincrease dramatically, to say nothing o the loss o statesecrets and damage to our national security.

Improvements in in ormation sharing between the ederalgovernment and private sector about cyber threats andvulnerabilities show great promise or improving ourcyber de enses and potential response measures. Public-private cyber in ormation sharing can bolster and speedidenti cation and detection o threats and will be criticalto a coordinated response to a cyber incident. This type o in ormation sharing can and must be done in a manner thatprotects privacy and civil liberties.

Despite general agreement that we need to do it, cyberin ormation sharing is not meeting our needs today. Theresolution o numerous legal impediments some real,some perceived is asserted by various stakeholders as apredicate to more robust cyber threat in ormation sharing

among private sector entities and between the private sectorand the government. Perceptions o such impediments havecreated a collective action problem in which companieshold threat and vulnerability in ormation close, rather thansharing it with each other or the government. In ormationthat should be shared includes, but is not limited to,malware threat signatures, known malicious IP addresses,and immediate cyber attack incident details.

The public disclosure in April 2012 o attempted attacksagainst natural gas pipeline company systems provides anexample o why this is necessary. 3 The coordinated attacksbegan in December 2011, but were not recognized andanalyzed by DHS until March 2012. 4 In an era o light-speedattacks, that was ar too long. Systems could have been

disrupted or damaged long be ore other companies wereaware o the attack vectors and possible remedial steps.

A more robust sharing o private and public network securityin ormation as well as threat in ormation, in real time, wouldyield a level o situational awareness about the nationsin ormation technology and communications systems thatwould enable operational and strategic decisions to bemade about how to better protect them and respond toattackers. To be e ective, such in ormation sharing willrequire the automated exchange o data rom computer tocomputer (so-called machine-to-machine sharing). Whilemalware can be quarantined and communications with badIP addresses blocked almost immediately a ter in ormationon them is received, decisions about undertaking protectiveactions and active response measures o ten will requirehuman evaluation o this data. This analysis turns datainto intelligence. Both the government and private-sectorcompanies need the capability to quickly be alerted, analyzedata, develop courses o actions, and execute decisions,sometimes in the ace o a rapidly changing threat.

Below, we outline a series o proposals that would enhance

in ormation sharing. Our recommendations have two majorcomponents: 1) mitigation o perceived legal impedimentsto in ormation sharing, and 2) incentivizing private sectorin ormation sharing by alleviating statutory and regulatoryobstacles. We begin with a description o in ormationsharing today and then will explain how that rameworkmust change.

Chapter 1: A Time for Action


8/24

A Time for Action

Information Sharing TodayThere are numerous sources o data about cyber threatsand vulnerabilities. The government, commercial securityservice providers, Internet Service Providers (ISPs),non-pro t groups, industry associations, and individual

companies networks can all be sources o in ormation.Among other in ormation, they provide threat signatures ormalware, IP addresses and domain names involved in cyberattacks, and descriptions o particular cyber attacks. Butthis in ormation sharing currently is ar rom comprehensiveor su cient, coming rom only companies and organizationsthat choose to share cyber attack in ormation. Many do notdo so because o ears, some justi ed, including harm totheir reputations and potential loss o customers.

Another chilling e ect on sharing comes rom the concernthat private proprietary in ormation compiled in governmentdatabases will be discoverable through Freedom o In ormation Act (FOIA) requests. Entities also are concernedthat they may be held liable or the threat in ormation theyshare i it turns out to be inaccurate. On the more technicalside, another problem is that the data o ten arrives in theorm o paper documents and email alerts that are notmachine-readable or that must be acquired rom websitepostings. This means that the in ormation is not usablerapidly enough to prevent an attack or detect one that isongoing.

In 2011, the Department o De ense (DoD) began testing anin ormation-sharing program called the De ense IndustrialBase (DIB) cyber security pilot program, intended toenhance the de ensive capacity o its partners in privateindustry against cyber attacks. 5 Under the DIB pilotprogram, DoD provided classi ed malicious signatures thatit had identi ed to industrial de ense contractors, expandingtheir set o known threats. DoD disseminated the signaturedata by hard copy to de ense contractors, who then enteredthe signature in ormation into their systems manually, rather

than through a secure method o automatic trans er. 6 TheDIB pilot only involved a ew dozen companies that met aset o security and operational requirements. 7

DoD has released an interim rule that builds upon the DIBpilot and will establish an expanded cyber in ormation-

sharing program, allowing many more companies toparticipate. 8 Implementing a secure, automated methodshould increase the e ectiveness o , and participation in,this program among private contractors.

The lessons learned rom the DoD cyber pilot orestablishing active and reliable methods o sharing threatdata can be applied to other economic sectors as well. Itis particularly important or companies in other sectors toestablish such mechanisms because they typically are notcleared to receive and retain classi ed cyber threat data.

Reportedly, e orts are underway to automate more o thein ormation sharing between the government and privatesector. DHS is working with industry-led In ormationSharing and Analysis Centers (ISACs) to achieve this goal. 9 (Originally sponsored by the government, but now operatingindependently o government unding or control, ISACscover speci c industry sectors, such as nancial servicesand universities.) For years, ISACs have coordinatedthe sharing o terrorism and homeland security-relatedin ormation with particular sectors. Some have nowventured into sharing cyber security threat in ormation,

but there are only a ew industry sectors with ISACs activein cyber security and much work remains to be done toachieve automated sharing.

In addition to ISACs, DHS provides alerts through emailsgenerally open to all subscribers. The problem with thesetypes o alerts is that they o ten do not contain su cientdetail to be actionable. Such detail may be something thatDHS and other ederal agencies would be willing to share,but only with a limited number o trusted companies to


9/24


protect their source or method o acquiring the in ormation.The ederal government could also be criticized as showingavoritism to some i it did not provide the in ormation to allin a transparent way.

Information Sharing in the FutureThe government should empower cyber security o cialsto make judgments about which companies are likely tobene t rom cyber intelligence, and be authorized to sharein ormation with these companies when circumstanceswarrant. Additionally, when less sensitive in ormation isavailable, it should be shared as widely as possible acrosseconomic sectors.

The government should also attempt to tailor its in ormationsharing and analyses to companies that have sought toshare in ormation with it. More speci cally, a companythat shares in ormation with the government about aparticular type o malware or intruder should receive thegovernments analysis about the attacker and methods,which could help the company to better protect its networksin the uture. This intelligence might let a company knowwhat type o data the attacker was seeking and might seekagain. Federal law en orcement should also warn other keystakeholders in a particular economic sector about whichthey have emerging cyber threat in ormation, even i otherstakeholders may not be currently under the same type o attack. This type o tailored, more responsive sharing by thegovernment will act as an incentive or companies to sharewith the government, even without a legal requirement to doso.

With more robust in ormation sharing, there can begreater situational awareness about the health o thenations in ormation technology architecture. A real-timeunderstanding o threats and vulnerabilities is necessaryor government o cials and industry leaders to make

decisions about tactical protective and response measures.The real-time sharing o threatening IP addresses andother threat indicators can occur both through government-operated or private-sector aggregators o this in ormation. Inaddition to our speci c recommendations below, immediateenhancements o in ormation sharing within the private

sector as well as between the government and privatesector, to the greatest extent legally easible should notwait or new comprehensive legislation.

Protecting Privacy When SharingInformationEnhanced cyber threat in ormation sharing should bepermitted only in environments utilizing currently availabletechnological, administrative and physical protectionsor the security o shared in ormation, particularly where

such in ormation is likely to include personally identi ablein ormation (PII) or other potentially sensitive in ormation.Currently available technology, procedures and bestpractices should be required or enhanced cyber threatin ormation sharing including, but not limited to, privacy-enhancing technologies to support: 1) proportionality,which balances competing values by enabling sharing o all in ormation reasonably necessary to accomplish thepurpose o the sharing, but not more; 2) authorized useso in ormation and protections against repurposing; 3)di erentiated access and selective revelation; 4) robust real-time and immutable auditing capabilities; and 5) e ectiveoversight mechanisms.

While enhanced, and legally protected, cyber threatin ormation sharing is necessary to meet the increasingthreats to our critical in rastructure, it need not, and mustnot, come at the expense o Americans privacy and civilliberties, particularly given the current availability o cost-e ective technology to protect such in ormation.


10/24



11/24


Protect Cyber Threat InformationProvided to the GovernmentCorporations o ten are reluctant to share cyber vulnerabilityin ormation with the government because they considertheir system vulnerabilities to be sensitive in ormation and

do not want proprietary documents and in ormation to bedisclosed to the public and competitors. Stakeholders worrythat such disclosures could result in reputational harm,competitive disadvantage, lost pro ts and shareholderderivative actions or other lawsuits. In ormation sharedwith the government could potentially be released throughgovernment employee error or as the result o a FOIArequest. Companies also are concerned that an agency withregulatory authority over it could use in ormation about acyber incident to pursue en orcement or other unrelatedregulatory action.

The Critical In rastructure In ormation Act (CIIA) (section211 o the Homeland Security Act) 10 provides a mechanismor the protection o sensitive cyber security in ormationshared with DHS. In ormation protected under the CIIAcannot be disclosed to any other part o the government orunder the authority o a FOIA request, except under verylimited circumstances.

Currently, DHS signs Cooperative Research andDevelopment Agreements (CRADAs) 11 with companiesthat are willing to share in ormation with the government,

thereby invoking the protections o the CIIA. Theseprotections can be enhanced by amending the CIIA toclari y that cyber threat and vulnerability in ormationsubmitted to the government cannot be disclosed withoutconsent o the submitter. Its scope should also be expandedto cover such in ormation provided by companies that arenot necessarily owners or operators o critical in rastructurenetworks.

While it still may be necessary to sign agreements withindividual companies that have particular concerns aboutthe treatment o in ormation that they share, to the extentpracticable, DHS should standardize the agreements to limitlengthy negotiations over their provisions. The goal shouldbe to establish an easily replicable ramework or sharing

(and protecting) in ormation rom thousands o companies.

Provide Liability Protection for CyberThreat Information Clearinghousesthat Gather the InformationSome industry ISACs have begun to serve as clearinghousesor in ormation such as IP addresses and domain namesthat distribute malware or are destinations or packets sentby corrupted computers. 12 These ISACs collect in ormationrom sector industry members and share in ormation among

those members.

There are also or-pro t and non-pro t entities engagedin identi ying and sharing such IP addresses and domainnames. One o the more success ul non-pro t e orts isthe Anti-Phishing Working Group (APWG) 13 that receivescontributions rom many di erent industry members andgovernment entities (both domestic and oreign), includinglaw en orcement. They are able to act as clearinghouse byconsolidating malicious IP addresses and then providingthem to all subscribers to a listserv with periodic updates.These mechanisms or sharing cyber security threatin ormation are important and should be encouraged.

Un ortunately, entities that collect and aggregate cyberthreat in ormation have been threatened with lawsuits byowners o domain names and companies who host websitesthat are the sources o Botnet control servers or phishingattacks, but also host other websites that are innocuous.The ability o these entities to share in ormation will bechilled i subject to lawsuits about the accuracy o their

Chapter 2: Mitigating Legal Impedimentsto Information Sharing


12/24

Mitigating Legal Impediments to Information Sharing

Amend Communications Laws toClearly Authorize CommunicationsCompanies to Monitor and InterceptMalicious Internet Communicationswith the Consent of a Companyor Customer and Share RelatedInformation with the FederalGovernment, and to Provide Authorityto Take Reasonable Actions Duringa Cyber Emergency Certifed by thePresidentReal and perceived legal limitations in the ElectronicCommunications Privacy Act (ECPA), and the WiretapAct that ECPA amended, have deterred communicationsproviders rom monitoring communications over theirnetworks or cyber threats, which, in turn, has limitedthe sharing o details about such threats. 16 Both statutesinclude service provider exceptions where communicationsinterception, disclosure, or use o communicationsnecessary incident to rendition o service or to protectrights and property o the provider. 17 However, to quali y orthe exception: 1) a communications provider must havereasonable cause to suspect its property rights are beingviolated; 2) there must be a substantial nexus between thedevice targeted or interception and the raudulent activity;3) the interception activity must be reasonable and narrowly

tailored; and 4) the communications provider cannot beacting as law en orcements agent. 18

Many stakeholders believe that the law is not clear as towhether, and to what extent, meaning ul network-wideor subscriber-speci c cyber monitoring quali es or theservice-provider exception. Court decisions on this provisionhave not added clarity because they are dated andocused primarily on telephone companies with reasonablegrounds to suspect a speci c customer is bypassing billing

data. To date, ISACs have only shared with members whothey know and trust rom their particular industry sectors,rather than distributing the in ormation more broadly. Thepotential or lawsuits should not be an impediment toenhanced cyber threat in ormation sharing.

To mitigate such ears, good aith actions o these sharingentities should be protected rom litigation. In other words,i the sharing is not done with the intent to harm the ownero a domain name or IP address, there should be no basisor a lawsuit. These protections are particularly important asthese entities act as clearinghouses or others in ormationbased on cyber attacks occurring at light speed. To beuse ul, this in ormation must be shared be ore the malwarecan be exploited against other victims. This requires real-time exchanges and potentially automated trans ers o in ormation. Network administrators should be empoweredwith such in ormation and should determine how best itshould be applied on their systems.

Nonetheless, innocent parties should have some type o recourse or erroneous inclusion on a list o ne arious actors.This is not a new concern, as current spam and malwareblock lists already have to account or alse positives. Forexample, the Spamhaus Project, which manages complexanti-spam block lists, allows or user discretion in managingmail identi ed as spam, 14 and provides a means or userso tagged IP addresses and domains to request a promptremoval rom Spamhaus block lists ollowing an evaluation. 15

Clearinghouses should likewise establish mechanisms orreviewing inquiries by parties who claim to be innocent.The government could certi y that such mechanisms arein place in order or the clearinghouse to receive limitedimmunity rom lawsuits.


13/24


14/24

Mitigating Legal Impediments to Information Sharing

Cyber Security Emergency

Cyber attacks have the potential to cause catastrophiclosses o li e and property. We should plan or these crisesin advance to mitigate their e ects. Moreover, the very acto showing that we are prepared to detect, mitigate andrespond will provide some level o deterrence to manyo those who would launch such attacks. In act, manycyber strategists now believe that network resilience , asopposed to the traditional concept o retaliation , o ers thebest hope or cyber deterrence. Also important, authoritiesand response options that are care ully thought out andlegislated prior to an attack will likely be more e ective,prudent, and privacy-protective than on-the-fy reactions toa catastrophic attack already underway.

Legislation should provide that the president may certi y toCongress that an emergency exists rom an ongoing cyber

attack or national security threat. This certi cation wouldtrigger speci c authorities to mandate that reasonablecountermeasures be taken by companies that generate,store, route, or distribute online in ormation and by otherappropriate private-sector companies, which would beprotected rom liability or actions that are consistentwith government instructions. Following a presidentialcerti cation, relevant companies that handle onlinein ormation should have enhanced authority to access,review and share network tra c and related in ormation inorder to identi y the threat and take responsive action in

coordination with the ederal government.

Congress and to the extent possible the public shouldbe noti ed o the certi cation and actions taken. Suchauthorization should be limited in duration and subject totimely and reasonable oversight mechanisms, includingor appropriate minimization procedures and tailoring o responsive actions.

liberties protection procedures, developed in consultationwith privacy and civil liberties experts and with the approvalo the attorney general. 23 Finally, the use, collection,retention and sharing o cyber in ormation is limited toprotecting against cyber security threats. 24 In ormation maybe used or disclosed or criminal law en orcement only a ter

the attorney generals review and approval o each suchapplication. 25

The leading bills in the Senate and House similarly createmechanisms or oversight o in ormation-sharing proceduresto protect privacy and civil liberties and have limitationson the use o the cyber threat in ormation shared with thegovernment. For example, CISPA requires annual reportsrom the intelligence community inspector general, 26 theLieberman-Collins Cybersecurity Act requires an evaluationby the Privacy and Civil Liberties Oversight Board (PCLOB)and annual reports rom chie privacy and civil libertieso cers and relevant agency inspectors general, 27 and theMcCain SECURE IT Act requires biennial evaluation romthe PCLOB and the agency or department heads overseeingcyber security centers 28 and annual reports rom agencyinspectors general. 29

While the exact terms o these protections vary amongthe bills, a vigorous dialogue in Congress should be ableto resolve di erences among them. The critical pointo agreement is that the restrictions in ECPA and otherlaws should not prohibit monitoring o network tra c

and the sharing o in ormation about cyber threats andvulnerabilities that is essential to protecting the nations ITnetworks. In addition to embracing the privacy and civilliberties protections outlined above, any privacy guidelinesrequired by statute should have deadlines that ensuretheir timely adoption or or the government to issue interimguidelines i the process o adopting comprehensiveguidance is delayed.


15/24


16/24



17/24


State Data Breach LawsState data breach noti cation laws have served two use ulpurposes: 1) noti ying consumers whose data may be at riskor misuse; and 2) providing an incentive or companies toimprove data security protections to avoid costly noti cation

requirements and lawsuits. However, the current patchworko o ten inconsistent state laws makes compliance di cultand costly. This is made complex by having to provide anoti cation to each customer that complies with the law inthe customers state. Moreover, companies may be devotingtoo many resources to avoiding data breach liability whenthey should be addressing cyber threats more broadly andconsistently. 30

Streamlining and uni ying the data breach noti cationrequirements that currently exist in state laws under anational standard, while eliminating punitive lawsuits, wouldreduce the costs or companies to comply with these breachnoti cation laws and make companies less worried aboutsharing attack incident details with the government. Evenunder streamlined ederal breach noti cation requirements,consumers would be protected when breaches occur thatpresent a credible risk o personal data being misused.

Federal Trade Commission (FTC)AuthoritySome companies are reluctant to disclose in ormation

about data breaches to the ederal government or earo an FTC en orcement action. Section 5 o the FTCAct prohibits un air or deceptive acts or practices in ora ecting commerce. 31 This prohibition includes deceptivestatements and un air practices involving the use orprotection o PII. Security breaches can be en orced undereither the deceptiveness or un airness prongs.

The FTC brings en orcement actions against companies orun air practices that lack adequate security, even i they donot make alse representations. For example, the FTC hasbrought en orcement actions against companies that ail to:1) encrypt sensitive personal data, 34 2) employ reasonableprecautions when sharing data with a third party, 35 or 3) usenecessary security protocols against reasonably anticipatedcyber attacks. 36

An FTC en orcement action ollowing a security breachis very costly or companies. From beginning to end, theinvestigation and en orcement action can take over two

years and cost millions o dollars in legal and consultingees. 37 Further, the FTC o ten imposes obligations on thecompany that last decades into the uture.

Administration ProposalAs part o its cyber security legislation, the Obamaadministration has proposed a data breach reporting

Chapter 3: Streamlining DataBreach Notifcations

FTC Enforcement Actions

The FTC brings en orcement actions against companiesor deceptive practices i they mislead consumers abouthow their data will be protected and used. For example,the FTC brought an en orcement action against CeridianCorporation, a human resources services company,a ter hackers gained access to the companys networkand compromised the PII o approximately 28,000customers. 32 The FTC alleged that the privacy andin ormation security representations on Ceridians websitewere deceptive, because Ceridian touted a Worry- reeSa ety & Reliability security system while ailing to takereasonable security measures. 33


18/24

Streamlining Data Breach Notifications

Our Proposal

Congress should preempt state breach noti cation lawsand ederal un air trade practice en orcement actionsand streamline noti cations under a ederal standard. Itshould also provide a sa e harbor or companies when

there is no actual risk o consumers having their datamisused. This regime would help to encourage sharing withthe government by reducing the risk that sharing aboutincidents would result in violations o data breach and un airtrade practice laws.

policy that includes a sa e harbor measure, 38 which wouldpreempt state disclosure laws in order to streamlinebreach reporting based on a national standard. 39 Underthe administrations proposal, companies su ering a databreach would be exempt rom public noti cation i a riskassessment conducted shortly a ter the breach nds that

the in ormation accessed is su ciently encrypted to preventany reasonable risk o misuse. 40 The company must alsoreport these ndings to the FTC or review. 41


19/24


Our recommendations or securing public-privatein ormation sharing include the ollowing:

n Protect cyber threat in ormation provided to thegovernment.

n Establish mechanisms to protect privacy and civil liberties

or in ormation shared with the government.n Provide liability protections or cyber threat in ormation

clearinghouses that collect and disseminate cyber threatand vulnerability in ormation.

n Amend communications laws to clearly authorizecommunications companies to monitor and interceptmalicious Internet communications with the consent o acompany or customer, and share related in ormation withthe ederal government.

n Legislation should provide that the president may certi y

to Congress that an emergency exists rom an ongoingcyber attack or national security threat. This certi cationwould trigger speci c authorities to mandate thatreasonable countermeasures be taken by companies thatgenerate, store, route or distribute online in ormation andby other appropriate private-sector companies, whichwould be protected rom liability or actions that areconsistent with government instructions.

n Require the government to push technical cyber threatdata, which can be used to protect networks, to theprivate sector in an unclassi ed ormat.

n Require the government to work with criticalin rastructure companies to identi y key personnel whoshould receive clearance to review cyber threat andvulnerability in ormation.

n Streamline data breach noti cation requirements toincidents where there is a credible risk o harm toconsumers and establish a sa e harbor policy thatwould exempt a company rom state data breachnoti cation laws and ederal un air trade practiceen orcement actions ollowing a security breach.

Recommendations


20/24



21/24


1. We would like to acknowledge and thank BPC research assistant, David Beardwood,and the students in the Georgetown University Law School Federal Legislation andAdministrative Law Clinic Jason Craw ord, Rebecca Givner-Forbes, JonathanMiller, Brittany Muetzel, Aarthy Thamodaran, Jacob Wol , Amanda Blunt, EricBolinder, Christopher Lamar, Katrine Lazar, Leah Schloss, and David Silvers or thevaluable legal research they provided or this report.

2. Schmidt, Michael. New Interest in Hacking as Threat to Security. The New York Times , March 13, 2012. http://www.nytimes.com/2012/03/14/us/new-interest-in-hacking-as-threat-to-us-security.html?_r=2&re = b

3. Clayton, Mark. Alert: Major Cyber Attack Aimed at Natural Gas PipelineCompanies. The Christian Science Monitor , May 5, 2012. http://www.csmonitor.com/USA/2012/0505/Alert-Major-cyber-attack-aimed-at-natural-gas-pipeline-companies

4. U.S. Dept. o Homeland Security. Gas Pipeline Cyber Intrusion Campaign. ICS- CERT Monthly Monitor , April 2012. http://www.us-cert.gov/control_systems/pd / ICS-CERT_Monthly_Monitor_Apr2012.pd

5. U.S. Dept. o De ense. DIB CS/IA Program. De ense Industrial Base (DIB) CyberSecurity/In ormation Assurance (CS/IA) Program. http://dibnet.dod.mil/staticweb/ index.html

6. Nakashima, Ellen. Cyber De ense E ort is Mixed, Study Finds. The Washington Post , January 12, 2012. http://www.washingtonpost.com/world/national-security/ cyber-de ense-e ort-is-mixed-study- nds/2012/01/11/gIQAAu0YtP_story.html

7. U.S. Dept. o De ense. Minimum Requirements. De ense Industrial Base (DIB)Cyber Security/In ormation Assurance (CS/IA) Program. http://dibnet.dod.mil/

staticweb/MinReqmts.html 8. U.S. Dept. o De ense. Department o De ense (DoD)-De ense Industrial Base (DIB)

Voluntary Cyber Security and In ormation Assurance (CS/IA) Activities. Federal Register , Vol, 77, No. 92. May 11, 2012. Rules and Regulations. Pp. 27615. http:// www.gpo.gov/ dsys/pkg/FR-2012-05-11/pd /2012-10651.pd

9. National Council o ISACs. http://www.isaccouncil.org/

10. 6 U.S.C. Part B 131-134 Critical In rastructure In ormation. http://www.law.cornell.edu/uscode/text/6/chapter-1/subchapter-II/part-B

11. U.S. Dept. o Homeland Security. Technology Trans er Mechanisms. http://www.dhs.gov/xabout/structure/gc_1264625623653.shtm

12. Some companies have raised concerns about potential violations o antitrust lawsas a reason or not sharing cyber in ormation with other private sector entities.The Department o Justice should outline a sa e harbor or cyber in ormationclearinghouses, providing the assurance that participation in them will not lead toprosecution under antitrust laws.

13. Anti-Phishing Working Group (APWG). http://www.antiphishing.org/ 14. Understanding DNSBL Filtering. White paper. The Spamhaus Project. http://www.

spamhaus.org/whitepapers/dnsbl_ unction/

15. Blocklist Removal Center. Webpage. The Spamhaus Project. http://www.spamhaus.org/lookup/

16. Electronic Communications Privacy Act, 18 U.S.C. 119 2510-2522. http://www.law.cornell.edu/uscode/text/18/part-I/chapter-119

17. 18 U.S.C. 2511(2)(a)(i), 18 U.S.C. 2702(b)(4) and (c)(3) (emphasis added).

18. See, e.g., United States v. McLaren , 957 F. Supp. 215, 218-19 (M.D. Fla. 1997).

19. See, e.g., McLaren , 957 F. Supp. at 220, United States v. Clegg , 509 F.2d 605, 612(5th Cir. 1975).

20. The states with two party consent are Cali ornia, Connecticut, Florida, Illinois,Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire,Pennsylvania and Washington.

21. 18 U.S.C. 119 2510-2522. http://www.law.cornell.edu/uscode/text/18/part-I/ chapter-119

22. Department o Homeland Security Cybersecurity Authority and In ormation SharingAct o 2011 248(a)(2) http://democrats.senate.gov/pd s/WH-cyber-general-authorities.pd

23. Ibid. 24824. Ibid. 244(b)

25. Ibid. 244(b)(3)

26. H.R. 3523 (RFS) 1104(e)

27. S. 2105 (PCS) 242, 704(g)(5-6)

28. S. 2151 (IS) 104(a)

29. Ibid. 3554(a)(4)

30. Forty-six states and the District o Columbia have data breach noti cation anddisclosure laws. The states without these laws are Alabama, Kentucky, NewMexico and South Dakota. See, State Security Breach Notifcation Laws . NationalCon erence o State Legislatures. Available at http://www.ncsl.org/issues-research/ telecom/security-breach-noti cation-laws.aspx .State laws vary across the ollowing dimensions: 1) kinds o personally identi ablein ormation (PII) that trigger noti cation requirements; 2) time in which noti cationis required; 3) how certain a company must be that PII was breached; 4) content o the breach notice; 5) method o notice; 6) whether notice must be given to partiesother than a ected customers; and 7) method o en orcement.E.g. , North Dakota requires breach noti cation i customers names are released incombination with a date o birth, mothers maiden name, or electronic signature. NDCent. Code 51-31-01; E.g. , FL Stat. 817.5681 (requiring noti cation to a ectedFlorida residents within 45 days o discovering a breach, and imposing a ne upto $500,000 or ailure to disclose within that time rame); CT Gen. Stat. Ann. 36a-701b (requiring notice within 15 days o discovery o a breach). Other statesrequire noti cation without unreasonable delay. E.g. , 815 IL Com. Stat. 530/5.Some states require noti cation i a company is reasonably certain a customerhas been a ected by the breach. However, di erent states have interpreted thisthreshold di erently. MAKING SENSE OF THE PATCHWORK OF STATE SECURITYBREACH NOTIFICATION STATUTES,supra .Some states do not speci y the content o notice, but others do. E.g. , HI Rev. Stat. 487N-1 (requiring a description o the incident in general terms, the type o personalin ormation that was acquired, acts taken to protect in ormation rom being urthercompromised, telephone number to contact or more in ormation about the breach,and advice to remain vigilant in reviewing account statements and monitoring creditreports); MD Code 14-3501 (requiring notice to include, among other things,telephone numbers or credit reporting agencies, the Federal Trade Commission,and the Maryland Attorney General).Most states allow or notice by telephone, writing or email. MAKING SENSE OF THEPATCHWORK OF STATE SECURITY BREACH NOTIFICATION STATUTES,supra note 7. Some require the customers consent to send notice via email. E.g. , FL Stat.Ann. 817.5681. Some states allow only or written or email notice. E.g. , DC Code 28-3851.E.g. , CO Rev. Stat 6-1-716 (notice required to credit reporting agencies i numbero a ected customers exceeds 1,000); DE Code Ann. tit. 6 12B-101 et seq. (requiring notice to Consumer Protection Division o the Delaware Department o Justice).E.g. , CT Gen. Stat. Ann. 36a-701(b) (providing or en orcement by attorney generalonly); CA Civ. Code 1798.82 (providing a private right o action or individualsharmed by a businesss ailure to comply with the noti cation statute).

Endnotes


22/24

Endnotes

36. In the Matter o ACRAnet, Inc. FTC File No. 0923088 (2011).

37. Surviving an FTC Investigation A ter a Data Breach. 1048 PLI/Pat 467, 473.

38. Data Breach Noti cation 102(b) http://www.whitehouse.gov/sites/de ault/ les/ omb/legislative/letters/data-breach-noti cation.pd

39. 109

40. 102(b)(1)(A)

41. 102(b)(1)(B)

31. 15 U.S.C. 45 (2006).

32. In the Matter o Ceridian Corporation. FTC File No.1023160 (2011).

33. Ibid.

34. In the Matter o BJs Wholesale Club, Inc. FTC File No. 0423160 (2005) ( ndingthat the ailure to encrypt personal data on BJs computer networks was an un airpractice).

35. Kennedy, John B. A Primer on Key In ormation Security Laws in the United States.PLI Pat., Copyrights, Trademarks, and Literary Prop. Course Handbook Series No.14648161-62 (2008).


23/24


24/24

Documents

Public-Private Information Sharing