Adam Stone reports:
When state and local IT systems get breached, there’s a balancing act to be struck. How much can and should the public be told?
Some advocates of transparency and accountability say anything that happens in the public realm ought to be public knowledge. On the opposite extreme, some IT leaders worry that anything they disclose can and will be used against them by the bad actors: Better to say little or even nothing about a cyber incident.
Some are ready to codify the latter view. Recent legislation passed in Georgia, for example, puts limits on what government has to share about cybersecurity incidents. It provides for “certain information, data and reports related to cybersecurity and cyber attacks to be exempt from public disclosure and inspection.” That’s vague, and possibly ominous: state legislatures telling IT leaders what they can and can’t say about a breach.
Read more at Governing.