© 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential

Legislative & Regulatory Activities Involving Cyber Security

Bob BowenMay 2015

© 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential2

Cyber SecurityLegislative & Regulatory Activities

Data Breach Safeguards and Remedial Actions

~47 different state standards re: notification and remedial actions sense that this is untenable but no consensus on a single federal

standard major interests: financial services, retailers, and privacy/consumer

rights

Information Sharing

companies seek liability protection re: sharing threat or attack information

potential legal problems could include failure to safeguard PII, antitrust questions, investor lawsuits, and confidentiality/privilege waiver risks.

could also be discoverable through FOIA requests some points of agreement but significant divergence remains

fate of PII, recipient of data, usage of data, scope of protection major interests: ross-industrial business interests, privacy

advocates, law enforcement, and national security officials

© 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential3

Cyber SecurityData Breach - Particulars

Data Breach in the Legislative Branch

currently 6 bills in the Senate and 3 bills in the House many cater to particular interests (financial services, retailers,

privacy/consumer, etc.) and, in so doing, are opposed by competing interests

Ex: the financial services industry supports the Carper/Blunt bill but opposes the Warner bill; the retail industry opposes the Carper/Blunt bill but supports the Warner bill. Neither support the Leahy bill.

unlikely that any of these bills will move over the summer

Data Breach in the Executive Branch

National Institute of Standards and Technology Framework and Roadmap from 2014

currently the leading documents on voluntary measures by the private sector

Federal Trade Commission “Start with Security” initiative aimed primarily at initial design of products for the Internet of Things

Growing Securities and Exchange Commission interest public statements that Boards must pay greater attention to cyber

security Increasing Federal Communications Commission attention

recent guidance to internet service providers

© 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential4

Cyber SecurityInformation Sharing - Particulars

Information Sharing in the Legislative Branch

2 bills passed the House in April (one sponsored by Devin Nunes) bills differ in oversight entity – Department of Homeland

Security vs. Office of the Director of National Intelligence 4 bills at varying stages in the Senate (including companions to

those passed by the House) movement will likely pivot on how PII is scrubbed, held, and

deleted.

Information Sharing in the Executive Branch

Executive Order 13691 in February 2015 pulls from 2003 law establishing Information Sharing and

Analysis Organizations encourages establishment of ISAO’s under the direction of the

Department of Homeland Security to gather, analyze, and disseminate cyber threat information

recent DHS notice of availability of $11M grant to fund an ISAO Standards Organization.