You're the chief information officer for a tech business. Your computer system has just been hacked. Who do you call?
A number of businesses have been hesitant to contact the FBI in that situation. At a cybercrime conference in Virginia yesterday, government officials made assurances that they would try to avoid bad publicity for a company when circumstances like that arise.
Cio.com presents a view of reporting cybercrime from an information executive's perspective called Fear Factor: A reality check on your top five concerns about reporting security incidents. The article does raise a serious concern in addition to those five that people should be aware of.
The five that they list, and explain very well:
- Fear of calling the wrong agency
- Fear that everyone will find out
- Fear that the government will take computers away
- Fear that they will end up looking bad
- Fear that there is no benefit to reporting cybercrime
However, as the CIO.com article states, it may be possible that preparedness for a cyberattack should be part of an SEC disclosure, as is the reporting of a cybercrime:
"We can show that reporting may be a legal duty," says Christopher Wolf, a partner for Proskauer Rose in Washington, D.C.—specifically, in cases where an incident could have a significant impact on business.And, under the Homeland Security Act, a disclosure to the SEC would not be protected under the FOIA exemption. A sidebar to the CIO.com article notes that the Homeland Security Act didn't make it through the legislative process this term. But, it's possible that the exemption will survive any retooling of the Act when the next term begins. And, even if the Homeland Security Act doesn't go through, this issue will likely be revisited in some form.
So, you're the chief information officer for a tech business. Your computer system has just been hacked. Who do you call?