There will likely be a vote in the near future on the Cybersecurity Act of 2012 (CSA), led by sponsors Senators Joe Lieberman (I–CT) and Susan Collins (R–ME). As the Senate considers the CSA, it should pay close attention to the deficiencies of the bill. Indeed, as one digs deeper into the bill, its flaws become more and more apparent.
The liability provisions of the CSA are especially concerning. On first glance, it seems that actors who share cybersecurity threat information have complete protection from lawsuits. But the bill also includes seemingly contradictory provisions that give protection only for those who act in “good faith” or for those who don’t “knowingly or acting in gross negligence…violate” the provisions of the bill.
So which is it? With such wildly different levels of liability protection, Senators cannot possibly know which level of protection they are voting for. Regardless of the authors’ intent, these inconsistent provisions will lead only to legal confusion, plenty of lawsuits, and huge litigation costs.
The CSA also puts cybersecurity actors between a liability rock and a hard place. The bill’s protections apply to the sharing of information but not to actions taken based on that information. This makes little sense. Information sharing is meant to provide actors with information so they can act.
By not protecting the actions (or inactions) taken as a result of shared information, the CSA completely undermines the point of information sharing. Actors will be unlikely to act on cybersecurity information since they will be held liable for any damage done, even if they act in good faith and without gross negligence.
For actors who don’t act, the bill gives protection only for “a reasonable failure to act.” With such flexible language, lawsuits and litigation will be endemic. When combined with the lack of liability protection for cybersecurity actions, actors will be faced with an impossible choice: Should I act on the information I received and face lawsuits for incidental harm, or should I not act and be sued because my failure to act was arguably not “reasonable”?
This “damned if you do, damned if don’t” trap will truly cripple information sharing and harm cybersecurity efforts while helping only tort lawyers by giving them plenty of new cases.
On the other hand, the CSA actually goes too far with certain liability protections. The bill seems to give complete protection for breach of contractual obligations, which flies in the face of centuries of legal custom. If a business or individual contracts with a cybersecurity provider and is promised that its information will never be shared, then that contract should enable actors to sue if the provider shared information.
The CSA contains serious flaws in its liability protections. Rather than make our cybersecurity efforts worse with ineffective and convoluted provisions, the U.S. Senate should pursue sound liability protections to encourage flexible cybersecurity efforts.