U.S. Cybersecurity Bill Includes FOI Exemption

25 April 2013

Legislation recently passed by the U.S. House of Representatives, the Cyber Intelligence Sharing and Protection Act (CISPA), would provide companies liability protection for companies sharing cyberthreat information with the federal government. It also would exempt all such shared information from disclosure under the Freedom of Information Act.

The bill is being criticized largely for allowing amending privacy la and granting companies new rights to monitor user actions and share data with the government without a warrant. It faces a veto threat from the White House.

It also includes a FOI exemption. Information provided to the federal government under CISPA would be exempt from the Freedom of Information Act  and other state laws that could otherwise require disclosure (unless some law other than CISPA already requires its provision to the government).  

A blog post by Mathew Ramsey of the Sunlight Foundation contends, “Wholesale exemptions for “cyber threat information”  will prevent public oversight and deny citizens and watchdogs the ability to understand how the government and businesses communicate about and respond to cyber threats. The most sensitive information that would be shared through these bills is already protected from disclosure through existing FOIA exemptions. It is hard to see a compelling reason to subvert the FOIA altogether when it comes to cybersecurity.

OpentheGovernment.org, a coalition of pro-transparency organizations also opposes he exemption, writing recently:

Why is the provision so bad?

First, it ignores the fact that much of the sensitive information private companies are likely to share with the government is already protected from disclosure under the FOIA. Granting a sweeping provision from disclosure to encourage companies to share information that is already protected under the law is just bad policy.

Second, it is incredibly broad. There is a dangerous lack of specificity as to what can be considered “cybersecurity threat information.” It is not possible for us — or Congress — to know what types of information may be covered by this exemption.

Furthermore, there is no mechanism to weigh the public interest in disclosure of the information. Some of the information that may be shared under the bill — and therefore exempt from disclosure — could be critical for the public to ensure its safety.

Be Sociable, Share!


Filed under: What's New