This is a big deal. Every attack report I’ve read that matter highlight where data points are collected. They also point out that trends are based ONLY ON WHAT IS REPORTED meaning there will be organizations that have or have not experienced something yet did not report it hence it’s not recorded or known. What this translates to is the risk reported by risk reports isn’t accurate because there is no way to know how many organizations were or were not impacted by a threat … until now.
What this law puts into effect is forcing organizations to admit a breach. This includes those that decided to pay a ransom, afraid of the negative public whiplash, don’t feel they have time to report the event and any other excuse that had held back organizations from reporting breaches. There are exceptions put in place regarding if by reporting, the organization believes it will be exposing itself to more risk but the hope is this law will increase the real world understanding of risk.
The federal news network posted about this HERE. I’m happy to see this come into play. Will it always be enforced? Probably not. I can see an organization having a small breach and just take the risk of not reporting it. I can also see some organizations not report it and if caught, hiding behind the exception clause or claiming they didn’t know they had report it. But at least there is legal action taking a step in the right direction vs today giving organization no liability for reporting a breach. Some organizations are very good at reporting breaches regardless of the blowback and I personally salute those organizations for doing the right thing. The remaining organizations now have a reason to also do the right thing.