The White House’s senior official on cybersecurity said Wednesday that companies should worry more about being sued for not sharing data threat information.
Companies have resisted sharing information about threats for fear it could expose them to antitrust lawsuits.
“We always talk about the liability concerns about sharing the information — I'm starting to hear a lot more about the liabilities for companies for not sharing,” Schwartz said at a cybersecurity summit in Washington hosted by The Armed Forces Communications and Electronics Association. “We need to share ... It works in both directions at this point, which is a change from where we were a few years ago.”
After last year's data breach at Target, the retail industry has worked with the financial services industry to create a retail Information Sharing and Analysis Sharing Center (ISAC), modeled after the Financial Services ISAC. ISACs are a joint partnership between firms and the government that allow the entities to share threat information aimed at preventing cyberattacks.
Firms were nervous that sharing threat information could expose them to lawsuits during a breach. Schwartz said he was encouraged to see the ISACs develop and that the companies' apprehension has changed from liability concern about sharing too much to concern about sharing too little.
“Two years ago, we were hearing more and more reasons why people thought that they couldn't share. Now we're hearing more reasons why people feel like they need to share,” Schwartz said.
While a handful of lawmakers have introduced legislation, there’s been little movement on Capitol Hill. Schwartz said regulators and businesses can't afford to wait.
“A lot of information sharing on the Hill had focused on getting information from the private sector to the government,” Schwartz said. “[But we feel like] we can make some progress without legislation. ... It will benefit companies' bottom lines if they share. It will benefit government agencies to share more information.”