Davis advises companies to establish a compliance program with safeguards including training to ensure cyberthreat information is disseminated properly. “Safeguards have a dual benefit,” said Davis. “They limit the likelihood of a violation, but they can also be used to show a good-faith effort if a problem does arise.” Davis added that an FTC-DOJ policy statement issued earlier this month does not break new ground on this issue and remains unclear if it will increase data sharing.
“I can still imagine in-house counsel recommending against information sharing where there's not enough time to conduct an analysis, or where there's a close call and they don't want to risk a violation,” said Wool. He noted some federal and state laws require companies to disclose cybersecurity incidents, but they do not ensure reporting of all threats. Wool pointed to some state laws which provide exemptions for situations involving encrypted data. “That's a big hole,” he said. “You can't rely totally on these laws for getting access to threat information.”
Wool added that companies will likely remain reluctant to share data on cyberthreats until Congress addresses legal protections for them. “We really need legislation to address these concerns,” he said. “Otherwise, I'm not sure if there will be a huge increase in information sharing.”