One of the main topics in the textbook this week is disclosure after a cybersecurity breach. Disclosure is discussed in at least three distinct categories:
Disclosure of a breach of personal information, so that the victims are notified (and presumably can take some kind of action to help protect themselves).
Disclosure of a breach at a publicly traded company so that shareholders are aware of the financial consequences.
Disclosure of the methods used by attackers during an attack, so that other organizations can adjust their cybersecurity to block those methods.
Regarding the first category, most states have disclosure laws, though they vary considerably.
Regarding the second category, as mentioned in the textbook, the Securities and Exchange Commission (SEC) does encourage disclosure, though I've read some of those, and they aren't particularly informative.
Regarding the third category, that is still voluntary in almost all cases, though there is information sharing in particular industry groups.
For this discussion, just consider what you think would be appropriate disclosure requirements. You can talk about any of these three categories. What's the benefit or downside of disclosure? Should disclosure only be required if certain thresholds are reached, for instance, a certain number of personal records, or a certain dollar amount in damages? Should banks, for instance, always be required to disclose attackers techniques when they are attacked? (the textbook talks about this example). The choice for topics is almost limitless!