Friday, November 01, 2002

businesses afraid of reporting cybercrimes?

You're the chief information officer for a tech business. Your computer system has just been hacked. Who do you call?

A number of businesses have been hesitant to contact the FBI in that situation. At a cybercrime conference in Virginia yesterday, government officials made assurances that they would try to avoid bad publicity for a company when circumstances like that arise.

Cio.com presents a view of reporting cybercrime from an information executive's perspective called Fear Factor: A reality check on your top five concerns about reporting security incidents. The article does raise a serious concern in addition to those five that people should be aware of.

The five that they list, and explain very well:
  • Fear of calling the wrong agency
  • Fear that everyone will find out
  • Fear that the government will take computers away
  • Fear that they will end up looking bad
  • Fear that there is no benefit to reporting cybercrime
The article also considers a Freedom of Information Act exemption that was being reviewed by the Senate that would protect information disclosed by a company that voluntarily reported cybercrime to the Federal Government. The act was originally the Critical Infrastructure Information Security Act of 2001 (summary), which was worked into the Homeland Security Act of 2002 (pdf). (See TITLE VII—Miscellaneous, Subtitle C—Critical Infrastructure Information, starting on page 170).

However, as the CIO.com article states, it may be possible that preparedness for a cyberattack should be part of an SEC disclosure, as is the reporting of a cybercrime:
"We can show that reporting may be a legal duty," says Christopher Wolf, a partner for Proskauer Rose in Washington, D.C.—specifically, in cases where an incident could have a significant impact on business.
And, under the Homeland Security Act, a disclosure to the SEC would not be protected under the FOIA exemption. A sidebar to the CIO.com article notes that the Homeland Security Act didn't make it through the legislative process this term. But, it's possible that the exemption will survive any retooling of the Act when the next term begins. And, even if the Homeland Security Act doesn't go through, this issue will likely be revisited in some form.

So, you're the chief information officer for a tech business. Your computer system has just been hacked. Who do you call?

No comments: