• The Heritage Network
    • Resize:
    • A
    • A
    • A
  • Donate
  • Senate Cybersecurity Bill Gets Worse the More You Read It

    There will likely be a vote in the near future on the Cybersecurity Act of 2012 (CSA), led by sponsors Senators Joe Lieberman (I–CT) and Susan Collins (R–ME). As the Senate considers the CSA, it should pay close attention to the deficiencies of the bill. Indeed, as one digs deeper into the bill, its flaws become more and more apparent.

    The liability provisions of the CSA are especially concerning. On first glance, it seems that actors who share cybersecurity threat information have complete protection from lawsuits. But the bill also includes seemingly contradictory provisions that give protection only for those who act in “good faith” or for those who don’t “knowingly or acting in gross negligence…violate” the provisions of the bill.

    So which is it? With such wildly different levels of liability protection, Senators cannot possibly know which level of protection they are voting for. Regardless of the authors’ intent, these inconsistent provisions will lead only to legal confusion, plenty of lawsuits, and huge litigation costs.

    The CSA also puts cybersecurity actors between a liability rock and a hard place. The bill’s protections apply to the sharing of information but not to actions taken based on that information. This makes little sense. Information sharing is meant to provide actors with information so they can act.

    By not protecting the actions (or inactions) taken as a result of shared information, the CSA completely undermines the point of information sharing. Actors will be unlikely to act on cybersecurity information since they will be held liable for any damage done, even if they act in good faith and without gross negligence.

    For actors who don’t act, the bill gives protection only for “a reasonable failure to act.” With such flexible language, lawsuits and litigation will be endemic. When combined with the lack of liability protection for cybersecurity actions, actors will be faced with an impossible choice: Should I act on the information I received and face lawsuits for incidental harm, or should I not act and be sued because my failure to act was arguably not “reasonable”?

    This “damned if you do, damned if don’t” trap will truly cripple information sharing and harm cybersecurity efforts while helping only tort lawyers by giving them plenty of new cases.

    On the other hand, the CSA actually goes too far with certain liability protections. The bill seems to give complete protection for breach of contractual obligations, which flies in the face of centuries of legal custom. If a business or individual contracts with a cybersecurity provider and is promised that its information will never be shared, then that contract should enable actors to sue if the provider shared information.

    The CSA contains serious flaws in its liability protections. Rather than make our cybersecurity efforts worse with ineffective and convoluted provisions, the U.S. Senate should pursue sound liability protections to encourage flexible cybersecurity efforts.

    Posted in Security [slideshow_deploy]

    Comments are closed.

    Comments are subject to approval and moderation. We remind everyone that The Heritage Foundation promotes a civil society where ideas and debate flourish. Please be respectful of each other and the subjects of any criticism. While we may not always agree on policy, we should all agree that being appropriately informed is everyone's intention visiting this site. Profanity, lewdness, personal attacks, and other forms of incivility will not be tolerated. Please keep your thoughts brief and avoid ALL CAPS. While we respect your first amendment rights, we are obligated to our readers to maintain these standards. Thanks for joining the conversation.

    Big Government Is NOT the Answer

    Your tax dollars are being spent on programs that we really don't need.

    I Agree I Disagree ×

    Get Heritage In Your Inbox — FREE!

    Heritage Foundation e-mails keep you updated on the ongoing policy battles in Washington and around the country.