Breach Reporting and Nondisclosure Agreements
by Brent Kirkpatrick
(Date Published: 4/20/2018.)
In many cases, it is wise for a CEO to have contained the cybersecurity incident before announcing the incident to the media. This is because a media announcement of the problem is often accompanied by an increase in hacking. However, CEOs have used NDAs to avoid calling in the FBI, to avoid collaborating with the software industry, and to avoid reporting entirely.
Proper reporting of cybersecurity incidents requires alerting the FBI, requires sharing the most crucial results of digital forensics, and requires alerting the individuals whose personal information was accessed by hackers. The FBI needs to be told when and how the cyberattacks were carried out. This allows law-enforcement to track the activities of hacker groups as they cyberattack multiple victims. The crucial results of digital forensics needs to be shared with software engineers through the Common Vulnerabilities and Exposures (CVE) database. This is so that the critical vulnerabilities can be patched. Finally, the individuals effected by data theft need to be informed, so that they can mitigate the risk of fraud and other crime.
Nondisclosure agreements are a modern business invention that prohibits an employee from discussing company trade secrets. NDAs were designed to protect intellectual property from theft. Unfortunately, the cybersecurity community has been using NDAs to suppress or delay proper reporting of cyberattacks.
defendIT (TM). AI-driven security measures derived from security incident data.