Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis. N. Eric Weiss, Specialist in Financial Economics. February 23, 2015.

“Data breaches, such as those at Target, Home Depot, Neiman Marcus, JPMorgan Chase, and Anthem, have affected financial records of tens of millions of households and seem to occur regularly. Companies typically respond by trying to increase their cybersecurity, hiring consultants, and purchasing new hardware and software. Policy analysts have suggested that sharing information about these breaches could be an effective and inexpensive part of improving cybersecurity. Firms share information directly on an ad hoc basis and through private-sector, nonprofit organizations such as Information Sharing and Analysis Centers (ISACs) that can analyze and disseminate information. Firms sometimes do not share information because of perceived legal risks, such as violating privacy or antitrust laws, and economic incentives, such as giving information that will benefit their competitors. A firm that has been attacked might prefer to keep such information private out of a worry that its sales or stock price will fall. Further, there are no existing mechanisms to reward firms for sharing information. Their competitors can take advantage of the information, but not contribute in turn. This lack of reciprocity, called “free riding” by economists, may discourage firms from sharing. Information that is shared may not be applicable to those receiving it, or it might be difficult to apply.”