Organizations Rarely Report Breaches to Law Enforcement
Kelly Jackson Higgins has a column on why organizations do not rush to share information with the FBI and why the FBI wants them to share more:
…. the FBI will protect victim organization’s privacy, data, and will share what information it can from its investigation, he said, rather than continue with the mostly one-way sharing that organizations traditionally have experienced when dealing with the FBI.
Gary Terrell, president of the Bay Area CSO Council and CISO at Adobe, says different companies have their own rules about reporting to law enforcement. “[Many] won’t talk to law enforcement without an NDA [non-disclosure agreement],” says Terrell, who was speaking on behalf of the Council. “The FBI has a hard time signing it. That hasn’t been successful so far, so sharing with the FBI has been minimal.”
He says the feds have their own communications “protocol” for sharing classified information, but they don’t have a standard and confidential way to work with the private sector on breach investigations. And until the feds can work with NDAs, there won’t be much back-and-forth between companies and these agencies about breaches, he predicts.
Read more on Dark Reading.
So let’s see… unless the feds agree to become complicit in shielding the companies who want to hide breaches from we, the people, the companies will not share information with them? That’s just another reason for Congress to mandate public disclosure and notification. The federal government, our public employees, should not be making deals to keep information about breaches secret from us.