With Congress on the verge of passing legislation requiring certain companies to disclose cyberattacks and ransomware payouts, Bracewell’s Seth DuCharme spoke with Law360 on how any new breach reporting legislation sets punishment for noncompliance, compared to rewards companies can see for making timely reports.
“There needs to be clear messaging about the benefits of disclosure, both in the short term and the long term,” said DuCharme.
The government could spur quicker reporting of cyberattacks if it can demonstrate an ability, for example, to get victims ahead of the curve on ransomware negotiations by providing data on a certain cybercriminal gang’s tactics, DuCharme explained.
“My concern is that even though the government will collect a lot of information and use it to inform policy, in real time, it may not be able to use that information at the same pace as the threat actor,” added DuCharme. “Is this all something that will end up in a report three years down the road, or will you show up like a firefighter and help me put out this fire?”
Click here to read more from Law360 (subscription required).