Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis [December 11, 2014] [open pdf - 683KB]
From the Document: "Data breaches, such as those at Target, Home Depot, Neiman Marcus, and JPMorgan Chase, affecting financial records of tens of millions of households seem to occur regularly. Companies typically respond by trying to increase their cybersecurity by hiring consultants and purchasing new hardware and software. Policy analysts have suggested that sharing information about these breaches could be an effective and inexpensive part of improving cybersecurity. Firms share information directly on an ad hoc basis and through private-sector, nonprofit organizations such as Information Sharing and Analysis Centers (ISACs) that can analyze and disseminate information. Firms sometimes do not share information because of perceived legal risks, such as violating privacy or antitrust laws, and economic incentives, such as giving useful information to their competitors. A firm that has been attacked might prefer to keep such information private out of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to reward firms for sharing information. Their competitors can take advantage of the information, but not contribute in turn. This lack of reciprocity, called 'free riding' by economists, may discourage firms from sharing. In addition, the information shared may not be applicable to those receiving it, or it might be difficult to apply."
CRS Report for Congress, R43821
Federation of American Scientists: http://www.fas.org/sgp/crs/index.html