Comparing the Senate Cybersecurity Liability Provisions

In earlier posts I’ve written generally about the information sharing provisions of the Lieberman-Collins cybersecurity bill and the McCain bill.  Today I want to begin drilling down in comparing the two bills on a more detailed basis.  I’ve chosen for the first of these posts the competing liability exemption provisions and other related protections. Both bills, as I’ve said, generally seek to authorize enhanced information sharing between the private sector and other private sector actors and also from the private sector to the government.  [They also try to enhance government-to-private sharing but for obvious reasons that vector isn’t relevant to the discussion of liability limitations – I have to imagine that the government is not liable at all for any adverse consequences that might arise from its decision to share (or not share) classified cyber threat information.] In doing so, both bills confront an obvious and clear problem – no private sector actor will share cyber threat or vulnerability information if doing so will subject him to adverse consequence.  Thus, generically, both bills have liability exemptions; exemptions from FOIA and other protections that are an inducement to share.  But while generically similar, the details between the two bills differ starkly. Let’s start with Lieberman-Collins: Section 704 authorizes private sector entities to share information with the to-be-created Federal cybersecurity exchanges.  Section 704(d) exempts the information provided from subsequent disclosure under the FOIA – thus ensuring that propriety confidential business information does not become a public record by virtue of the disclosure.  Section 704(e) likewise confirms that cyber threat information shared with the Federal government is not considered an improper ex parte communication and section 704(f) says that any disclosure is not to be considered a waiver of any applicable privilege.  And under section 706(c) no information shared with the Federal government can be used as evidence in any regulatory action. Other provisions likewise make a great deal of sense.  Section 706(d) says that if the Attorney General, the Secretary of DHS or the Director of ODNI determine that a public disclosure of a cyber threat should be delayed, then the private sector actor who responds to a delay request is not liable.  And section 706(e) precludes liability for any private sector actor receiving cyber threat information who reasonably fails to act.  (Here, of course, some potential for liability exists, as the definition of a “reasonable” failure may be subject to dispute).  In addition, section 706(f) removes any protections for a knowing and willful violation of restrictions on information sharing contained in the bill – hardly a provision one can object to. So far so good – the provisions are direct and clear.  But the Lieberman-Collins liability provisions become a bit less well-defined when we turn to Section 706 – the liability protections that apply to both section 704 private-to-government and section 702 private-to-private information sharing.  Section 706(a)(2) says that no private entity will be subject to any civil or criminal action for cyber threat information voluntarily shared:

• to Federal cybersecurity exchange;
• from a cybersecurity provider to a customer;
• to a Federal or private entity that manages critical infrastructure; or
• to any other entity under section 702, if the information is also shared with a Federal cybersecurity exchange.

That seems pretty comprehensive.  Indeed, if read generously, the only type of sharing that is authorized but excluded from the liability protection is private-to-private sharing with non-critical infrastructure where the sharing entity neglects to also share it with the Federal cybersecurity exchange.  Given the fairly large carrot of total liability protection it is almost impossible to imagine any private entity neglecting to also clue in the Federal cybersecurity exchange. It is therefore a matter of some confusion as to why the section 706(b) good faith defense is necessary.  That section provides that for any disclosure which is not completely protected by section 706(a), good faith is a defense.  Of course, “good faith” is a fact bound issue and will generate litigation.  More problematically, the provision of this defense suggests that the protections of 706(a) are less complete than one might suppose – creating a real ambiguity. The other provision that will trouble many is not at all ambiguous.  Section 706(g) quite clearly and purposefully writes in an exception to the liability protections of 706(a) and preserves private rights of action against private sector entities who do not use or protect cyber threat information in conformance with the limitations of section 702(b) or 704(c).  Broadly speaking, those two sections require private sector actors to: a) safeguard information they receive; b) abide by limitations and restrictions on the use of information imposed by the entity who disclosed it; c) not use the information for competitive advantage; and d) not use the cyber threat information for any non-cyber purpose. That private right of action provision seems to create a pretty significant loophole.  Almost any action by a private sector actor of which an aggrieved party might complain will, likely, be charecterizable as falling within one of these four categories.  Thus, private sector actors, with some justification, worry that the private right of action savings clause of the Lieberman-Collins bill, take away with the left hand the very protections they were given with the right. Finally, there is a conundrum at the core of all this that goes beyond the private right of action issue.  Section 702(a) which authorizes private-to-private information sharing, begins with “Notwithstanding any other provision of law.”  Likewise section 704(a) authorizes private-to-Federal information sharing “notwithstanding any other provision of law.”  No doubt that phrase was intended to apply to other laws that might limit the act of voluntary sharing – but read literally, the authorization statute might trump the other provisions of this law.  That’s an unlikely interpretation and one the courts would probably reject, but still …  Maybe I’m missing something here. The McCain bill is conceptually much simpler.  Like Lieberman-Collins, the McCain bill begins, in section 102(a) with a broad authorization for the sharing of cyber threat and vulnerability information either with a Federal cybersecurity center or with any other private sector entity.  [As an aside, McCain makes the obvious (and one assumes implicit in L-C) statement in section 102(b) that cybersecurity entities providing cybersecurity services to the Federal government are, naturally, obliged to disclose any threat information relevant to the Federal government to the agency they are protecting.] McCain then goes on to mirror virtually all of the protections that are found in the Lieberman-Collins bill.  Section 102(c)(3) says that private sector information shared with the Federal government is proprietary and can’t be shared further without the consent of the private sector company and is not considered a privilege waiver.  Subsections (c)(4) and (c)(5) confirm that private sector disclosures are exempt from FOIA, while subsection (c)(6) reaffirms that the communications are not ex parte violations, and (c)(8) says that the cyber threat information cannot be used to regulate the lawful activities of any entity.  [This last is somewhat broader that the evidentiary privilege in the Lieberman-Collins bill.] McCain then goes further than Lieberman-Collins in a couple of respects.  For one thing, McCain has an explicit exemption from antitrust liability for private-to-private information sharing in section 102(e)(3).  The bill also explicitly preempts any contrary State law (section 102(f)). Finally, section 102(g) contains the liability protections that serve the same function as the section 706 provisions of the Lieberman-Collins bill.  Here, lies the major difference between the two bills.  Unlike the private right of action retained in the Lieberman-Collins bill, and unlike the good faith and knowing/willful provisions, the McCain bill has a simple, and complete prohibition – “No cause of action shall lie or be maintained in any court” for any use of countermeasures; any receipt or use of cyber threat information; or any inaction in response to the receipt of cyber threat information.  The only exceptions to this broad liability protection are for acts relating to the misuse of classified information and the actions of whistleblowers.  This is quite a simpler, cleaner and broader provision than that found in Lieberman-Collins.