Starting next month, private and public Louisiana companies can share cybersecurity threat information and defensive measures with state agencies—but should they? Because it’s not mandatory, companies aren’t obliged to participate but company boards should at least consider it, says Walt Green, partner at Phelps Dunbar.
While essentially a state version of the Federal Cybersecurity Information Sharing Act of 2015, SB46—signed last week by Gov. John Bel Edwards—can be a two-way street for benefits, says Green. Using the data reported, the state can warn companies and the media what cyber threats are prevalent in Louisiana, while companies can get information about how to better protect their data.
“The more companies that participate in the process, the better information and better threat analysis and broader range of defensive techniques they can receive and employ,” says Green, adding he doesn’t expect participation to carry a heavy financial burden to companies.
Should businesses elect to participate, the largest burden will fall to the company’s information systems manager, who would need to ensure data shared with state agencies doesn’t include any personally identifying information.
“I would encourage them all to consider it,” Green says, “but they need to know what is it, know the conditions for protection, do it correctly and utilize it. If you’re not going to do it exactly like statute, it’s too risky.”