1. © 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential Legislative & Regulatory Activities Involving Cyber Security Bob Bowen May 2015

2. © 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential 2 Cyber Security Legislative & Regulatory Activities  Data Breach Safeguards and Remedial Actions  ~47 different state standards re: notification and remedial actions  sense that this is untenable but no consensus on a single federal standard  major interests: financial services, retailers, and privacy/consumer rights  Information Sharing  companies seek liability protection re: sharing threat or attack information  potential legal problems could include failure to safeguard PII, antitrust questions, investor lawsuits, and confidentiality/privilege waiver risks.  could also be discoverable through FOIA requests  some points of agreement but significant divergence remains  fate of PII, recipient of data, usage of data, scope of protection  major interests: ross-industrial business interests, privacy advocates, law enforcement, and national security officials

3. © 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential 3 Cyber Security Data Breach - Particulars  Data Breach in the Legislative Branch  currently 6 bills in the Senate and 3 bills in the House  many cater to particular interests (financial services, retailers, privacy/consumer, etc.) and, in so doing, are opposed by competing interests  Ex: the financial services industry supports the Carper/Blunt bill but opposes the Warner bill; the retail industry opposes the Carper/Blunt bill but supports the Warner bill. Neither support the Leahy bill.  unlikely that any of these bills will move over the summer  Data Breach in the Executive Branch  National Institute of Standards and Technology Framework and Roadmap from 2014  currently the leading documents on voluntary measures by the private sector  Federal Trade Commission “Start with Security” initiative  aimed primarily at initial design of products for the Internet of Things  Growing Securities and Exchange Commission interest  public statements that Boards must pay greater attention to cyber security  Increasing Federal Communications Commission attention  recent guidance to internet service providers

4. © 2014 WESTERN DIGITAL CORP. ALL RIGHTS RESERVED. Company Confidential 4 Cyber Security Information Sharing - Particulars  Information Sharing in the Legislative Branch  2 bills passed the House in April (one sponsored by Devin Nunes)  bills differ in oversight entity – Department of Homeland Security vs. Office of the Director of National Intelligence  4 bills at varying stages in the Senate (including companions to those passed by the House)  movement will likely pivot on how PII is scrubbed, held, and deleted.  Information Sharing in the Executive Branch  Executive Order 13691 in February 2015  pulls from 2003 law establishing Information Sharing and Analysis Organizations  encourages establishment of ISAO’s under the direction of the Department of Homeland Security to gather, analyze, and disseminate cyber threat information  recent DHS notice of availability of $11M grant to fund an ISAO Standards Organization.