Cyber Security Act of 2012 requires a liability protection bug fix

The Lieberman-Collins-Rockefeller-Feinstein Cyber Security Act of 2012 seeks to protect high-risk critical infrastructure of the United States from cyber attack, and to create a place for private sector entities to share cyber information without fear of reprisal—while receiving the “secret sauce” only the government can provide: intelligence and law enforcement information. These dual goals are important, and it is past time Congress acted in this area.  But the Act is—to use a tech term—buggy.  It doesn’t sufficiently tamp down potential legal liability for private entities, and in some cases increases it, creating an insurmountable disincentive for companies to voluntarily share cyber information. It leaves owners of critical infrastructure subject to civil litigation and outsized damages if an attack happens, even when they fully comply with the Act’s mandates. Before the Act comes out of beta, Congress should debug its liability protection provisions.  Here’s how:

To encourage private entities to monitor and protect their systems against attack and share cyber threat information on newly-created “cybersecurity exchanges,” the Act bakes in protections designed to minimize litigation risk. Information shared on the exchanges is protected from FOIA disclosure and from use as evidence in enforcement actions against the private entity. The Act even purports to eliminate any criminal or civil causes of action arising from authorized monitoring, defending, or sharing. But the Act contains an exception that, if made law, would completely undo these incentives. It creates civil claims against entities that do not use “reasonable efforts to safeguard communications, records, system traffic, or other information that can be used to identify specific persons.”  But what’s reasonable? And who decides? Which court has jurisdiction and what’s the potential liability? The beta version of the Act virtually guarantees that private entities, legitimately fearing an onslaught of privacy litigation (with concomitant public scrutiny and the potential for massive damages), will decline to participate in this voluntary system. For effective information sharing, Congress must limit these claims.

Eliminate or cap liability for in-compliance critical infrastructure owners.

The compulsory part of the Act regulates critical infrastructure that—if subject to cyber attack or intrusion—could cause a catastrophe. If owners of this high-risk infrastructure do not meet cyber “performance requirements” created by industry and adopted by the Homeland Security secretary, they are subject to severe federal regulatory enforcement including civil penalties and injunctive relief, and maybe more. (The analogous Chemical Facility Anti-Terrorism Standards, or CFATS, allows DHS to shut down non-compliant plants.)  But what if the infrastructure meets the Act’s performance standards, and an attack happens anyway? Unwisely, the Act allows private-party damages claims against infrastructure owners, and though it purports to limit punitive damages, the limitation is weak. Subjecting infrastructure to the immense enforcement power of the federal government is incentive enough for compliance (augmenting the existing incentive to protect shareholder value); there’s no need for the additional cudgel of private litigation. Compliance with the Act can be deemed to meet the applicable “standard of care,” shutting the door on private claims. Congress should limit lawsuits arising from a successful attack on in-compliance infrastructure, or at least cap liability and streamline and consolidate any litigation in federal court.

As a veteran of the Bush administration’s cyber security efforts, I agree with the Act’s goals, its allocation of responsibility to the Department of Homeland Security, and its reliance on industry-created performance standards, rather than a one-size-fits-all regulatory scheme that would eliminate useful, private sector solutions to dynamic problems. But the Act increases liability when it should be limited, and disincentivizes participation when it should be encouraged. Before it becomes law, Congress should debug the Act to ensure it adequately addresses the nation’s ongoing cyber security crisis.

Coldebella was acting General Counsel of the U.S. Department of Homeland Security from February 2007 to January 2009, and Deputy General Counsel from October 2005 to February 2007.  He is a litigation partner at Goodwin Procter LLP in Washington, D.C., and a senior fellow at GWU’s Homeland Security Policy Institute.