As hackers and cyberarmies shred network defenses, industry experts weigh the ethics of breach disclosure and information sharing. Lee Sustar reports.
Hammered by mega-breaches and constantly probed by would-be attackers, enterprises, government entities and other organizations are asking whether an ethical approach to cybersecurity requires sharing more information than the law requires.
Many experts see ethical issues playing an increasingly important role as information security lapses not only spur greater consumer protection laws and increased regulation, but also put preeminent corporate brands at risk.
It's the reputational hit from a data breach that's the key driver of information security ethics, says Eric Burger, a research professor of computer science at Georgetown University.
“Corporations act ethically because they have to,” says Burger, a veteran IT entrepreneur. “If they say they are, it is because they want to be in an ethical funds portfolio.” The average corporation is not founded on the basis of protecting data, he says. By contrast, the NGO where he serves as a board member has a commitment to ethics beyond the industry standard.
Eric Burger, research professor
According to attorney Gary Kibel, the ethics of breach disclosure and threat intelligence sharing has to be seen in light of three basic categories: state and federal disclosure laws, regulatory requirements and contractual obligations to business partners that may require or prevent disclosure.
“If no one is forcing you, or you have no obligation [to report a breach], you need to decide whether you want to do it yourself,” says Kibel, partner in the digital media, technology and privacy practice at the Davis & Gilbert law firm in New York.
“We will talk to clients about what makes sense for their business,” Kibel says. “But ultimately they have to decide whether they are going to disclose even if they are not required or prohibited from doing so.”
Those ethical questions are inevitably entangled with divergent and often conflicting breach disclosure laws across 47 states in the U.S., says Thomas Smedinghoff, a Chicago-based attorney with Locke Lord.
“In some states, you are required to disclose certain things about the breach,” he says. “But in Massachusetts, the law says you are prohibited from disclosing them. If you were just being ethical, you could violate the law.”
Federal legislation governing data breaches present further challenges to the efforts of information security ethicists to balance collaboration with law enforcement with transparency to business partners and the public. The proposed Data Security and Breach Notification Act of 2015, for example, would mandate breach disclosure to consumers within 30 days “unless United States Secret Service or the Federal Bureau of Investigation determines that notification under this section would impede a criminal investigation or a national security activity.”