To encourage private entities to monitor and protect their systems against attack and share cyber threat information on newly-created “cybersecurity exchanges,” the Act bakes in protections designed to minimize litigation risk. Information shared on the exchanges is protected from FOIA disclosure and from use as evidence in enforcement actions against the private entity. The Act even purports to eliminate any criminal or civil causes of action arising from authorized monitoring, defending, or sharing. But the Act contains an exception that, if made law, would completely undo these incentives. It creates civil claims against entities that do not use “reasonable efforts to safeguard communications, records, system traffic, or other information that can be used to identify specific persons.” But what’s reasonable? And who decides? Which court has jurisdiction and what’s the potential liability? The beta version of the Act virtually guarantees that private entities, legitimately fearing an onslaught of privacy litigation (with concomitant public scrutiny and the potential for massive damages), will decline to participate in this voluntary system. For effective information sharing, Congress must limit these claims.
Eliminate or cap liability for in-compliance critical infrastructure owners.
The compulsory part of the Act regulates critical infrastructure that—if subject to cyber attack or intrusion—could cause a catastrophe. If owners of this high-risk infrastructure do not meet cyber “performance requirements” created by industry and adopted by the Homeland Security secretary, they are subject to severe federal regulatory enforcement including civil penalties and injunctive relief, and maybe more. (The analogous Chemical Facility Anti-Terrorism Standards, or CFATS, allows DHS to shut down non-compliant plants.) But what if the infrastructure meets the Act’s performance standards, and an attack happens anyway? Unwisely, the Act allows private-party damages claims against infrastructure owners, and though it purports to limit punitive damages, the limitation is weak. Subjecting infrastructure to the immense enforcement power of the federal government is incentive enough for compliance (augmenting the existing incentive to protect shareholder value); there’s no need for the additional cudgel of private litigation. Compliance with the Act can be deemed to meet the applicable “standard of care,” shutting the door on private claims. Congress should limit lawsuits arising from a successful attack on in-compliance infrastructure, or at least cap liability and streamline and consolidate any litigation in federal court.
As a veteran of the Bush administration’s cyber security efforts, I agree with the Act’s goals, its allocation of responsibility to the Department of Homeland Security, and its reliance on industry-created performance standards, rather than a one-size-fits-all regulatory scheme that would eliminate useful, private sector solutions to dynamic problems. But the Act increases liability when it should be limited, and disincentivizes participation when it should be encouraged. Before it becomes law, Congress should debug the Act to ensure it adequately addresses the nation’s ongoing cyber security crisis.
Coldebella was acting General Counsel of the U.S. Department of Homeland Security from February 2007 to January 2009, and Deputy General Counsel from October 2005 to February 2007. He is a litigation partner at Goodwin Procter LLP in Washington, D.C., and a senior fellow at GWU’s Homeland Security Policy Institute.