CybersecurityNew cybersecurity legislation would shield companies from public records laws

Published 2 December 2015

A legislation which passed both houses of Congress, but has not yet signed into law by the president, aims to encourage companies and organizations to share with the U.S. government information about cyberattacks and cyberthreats they experience –but critics say there is a catch: the legislation would severely restrict what the public can learn about the program.

A legislation which passed both houses of Congress, but has not yet signed into law by the president, aims to encourage companies and organizations to share with the U.S. government information about cyberattacks and cyberthreats they experience –but critics say there is a catch: the legislation would severely restrict what the public can learn about the program.

The legislation would exempt the information the companies share with the government from public records laws, and would allow the companies to determine for themselves what information they want to government to keep secret.

Critics charge that the language of the bill makes it unclear whether to public can even learn whether or not a specific company has suffered a cyberbreahc.

The Minneapolis Star-Tribune reports that the legislation passed with bipartisan support, although both privacy advocates and technology companies raised concerns about the bill’s privacy implications. Other businesses, however, agreed to support the bill after antitrust and consumer-liability protections for participating companies were added to the bill.

Transparency advocates charged that the law, through new restrictions to the U.S. Freedom of Information Act, would provide excessive cover to tech companies. The critics complain that these restrictions and exemptions could be used to conceal information about what the government is doing, or not doing , to protect Americans from cybercrime.

There should be an element of public debate,” said Rick Blum, director of the Washington-based Sunshine in Government Initiative, told the Star-Tribune. “Oftentimes, public disclosure and accountability motivates people to be doing more and to be making the right choices.”

Current federal public records law already restrict the disclosure of government information to that information which would not hurt national security, violate personal privacy, or expose business secrets or certain confidential decision-making. There are also exclusions for critical infrastructure-related.

The new law, however, explicitly allows additional exemptions for “cyberthreat indicators” and “defensive measures” shared by companies. Critics say these terms are too vague and ill-defined, so they allow for an interpretation which would permit the government to avoid disclosure of information which would otherwise had to be disclosed.

Congress has yet to work out differences between the House and Senate bills before the bill is sent to the president.