Word is that Senator Reid has filed cloture on the motion to proceed to consideration of the Lieberman-Collins bill. [UPDATE: At the request of two readers I've uploaded the latest version of the text of the bill. As with any fast moving legislation, changes happen often and "your text may vary." Mine is from Thursday July 19.]
The cloture motion will “ripen” on Thursday or Friday, I’m told, so by the end of the week we will know whether or not the Senate will comprehensively consider cyber legislation or whether the entire process will end before it has even begun. And that means that by the end of the week, I’ll know whether this is my last legislative blog on this issue or the first of many more in the next few weeks or months.
With that in mind I wanted to do a deeper dive on the liability provisions of the information sharing title (Title VII) of the Lieberman-Collins bill. I confess that the more deeply I read them the less I understand them – which suggests to me that there are, at a minimum, some drafting fixes that might be considered even above and beyond the substantive questions we will be talking about.
Though I’m loathe to burden this blog with “text” most of what I want to write about can’t be understood without reading the actual draft language of Section 706 of the proposal. So, here are the relevant pieces in all their glory:
SEC. 706. LIMITATION ON LIABILITY AND GOOD FAITH DEFENSE FOR CYBERSECURITY ACTIVITIES.
(a) IN GENERAL.—No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity acting as authorized by this title, and any such action shall be dismissed promptly for activities authorized by this title consisting of—
(1) the cybersecurity monitoring activities authorized by paragraph (1), (3) or (4) of section 701(a); or
(2) the voluntary disclosure of a lawfully obtained cybersecurity threat indicator—
(A) to a cybersecurity exchange pursuant to section 704(a);
(B) by a provider of cybersecurity services to a customer of that provider;
(C) to a private entity or governmental entity that provides or manages critical infrastructure (as that term is used in section 1016 of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c)); or
(D) to any other private entity under section 702(a), if the cybersecurity threat indicator is also disclosed within a reasonable time to a cybersecurity exchange.
(b) GOOD FAITH DEFENSE.—If a civil or criminal cause of action is not barred under subsection (a), a reasonable good faith reliance that this title permitted the conduct complained of is a complete defense against any civil or criminal action brought under this title or any other law.
(e) LIMITATION ON LIABILITY FOR FAILURE TO ACT.—No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any private entity, or any officer, employee, or agent of such an entity, and any such action shall be dismissed promptly, for the reasonable failure to act on information received under this title
(g) LIMITATION ON LIABILITY PROTECTIONS.—Any person who, knowingly or acting in gross negligence, violates a provision of this title or a regulation promulgated under this title shall—
(1) not receive the protections of this title; and
(2) be subject to any criminal or civil cause of action that may arise under any other State or Federal law prohibiting the conduct in question.
So ….. what does all this mean. I have several question some of which I honestly can’t answer well. The ambiguity alone, is reason enough to be concerned with this text. Here they are:
What is the relationship between 706(a) and (b)? Section 706(a) looks like it is written as a complete and absolute liability protection for monitoring activity that is within the four corners of 701(a) (involving monitoring one’s own network or the network of another, if they have consented) or information sharing of cyber threat information with an exchange or with other authorized entities. So the structure suggests that the good faith defense available in subsection (b) is for those who thought, in good faith, that the monitoring or sharing was authorized but it turns out that it was not.
I just can’t imagine what the use of this structure is. Would there really be cases where entities thought that the monitoring or sharing was within the law but it was not? And if so, is there any realistic belief that they would be acting in bad faith rather good faith? This structure seems to be directed at a nearly null set – the hypothetical bad actor who, in bad faith, purposefully over monitors or over shares and then seeks liability protection, pretending to have acted in good faith. That just doesn’t seem like a significant prospect to me.
What it means in practice is that the motion to dismiss a filed suit will now be a two step process – first the monitoring/sharing defendant will assert that its conduct was lawful and thus fully protected (a factual inquiry, I assume, necessitating discovery) and then an assertion, if that fails, of a good faith defense (likely necessitating even more discovery). Perhaps the first inquiry can be recharacterized as a question of law (“assuming I did what they said, it was clearly authorized”) in some cases but I have no way of knowing how frequent that will be. And we can be sure that there will be some cases where that won’t be the case – so as structured an unknown fraction of filed cases will be subject to discovery with attendant litigation costs.
What is the relationship of 706(a) and (b) to 706(g)? And then of course we take it all back in subsection (g). For anyone who acts knowingly or with gross negligence all the liability protections disappear completely and I assume that means that they lose both the liability protection of subsection (a) and the chance to make a good faith argument under subsection (b). Of course, after the recent Supreme Court decisions in Iqbal and Twombly plaintiffs have an obligation to state “plausible” claims but it is unclear to me how much protection that will afford. To be sure this adds more uncertainty and, likely, even greater litigation costs.
Is liability for breach of contractual obligations also eliminated? By now readers will have figured out that I am generally in favor of a broad liability exemption. But one aspect of this text seem to me to go perhaps too far (yes … I said that!). Section 706(a) purports to extinguish all civil and criminal liability for authorized sharing and monitoring. The way I read that it also includes an exemption from liability for the breach of contractual obligations. So if, say, your ISP promises you in a contract never to share any information with the Federal government and it then goes ahead and shares information with a cyber exchange, you can’t even sue for actual damages. I wonder about that …..
Why does 706(a)(1) refer back only to protect the activities of subparagraphs (1), (3) and (4) of section 701(a) and not section 701(a)(2)? This one doesn’t puzzle me so much as make me think that the drafters of this section were not really serious about what they were doing. Section 701(a)(1) authorizes an entity to monitor its own systems for cyber threats. Subsection (3) says it can consent to someone else monitoring the system for it and subsection (4) is the converse – it can monitor another person’s system with that entitiy’s consent.
So what is the mysterious excluded subsection (2)? It’s the subsection that authorizes an entity to take countermeasures to protect its own system (subsection (5), which is also not mentioned, allows it to take countermeasures on a third parties’ system with its consent). So in other words, the way the provisions work together is that an entity can both monitor the cyber traffic for threats and take countermeasures to protect itself – but it ONLY gets liability protection for monitoring, not for acting.
That’s just nonsense. In what construct is it sensible to try incentivize the collection of cyber threat and vulnerability information but then to tell those who collect it that they use it at their own peril? In effect what this is trying to do is affirmatively disincentivize the private sector from acting in its own defense – instead they are effectively encouraged to passively monitor and then share that information with the government for it to do with as it sees fit.
This provision only make senses if you think that the government is a better, centralized actor for countermeasures than the private sector – a belief that I submit is counterfactual.
What is a “reasonable failure to act” in 706(e)? And how does that relate to the exclusion 701(a)(2)? Finally take a look at 706(e). It purports to protect the failure to act – and that’s a good thing as a theoretical matter. We don’t want the fact that an entity joins an exchange and receives information to bring with it liability if it fails to act on that information – otherwise we would just dissuade people from joining the exchange in the first place.
But here, again, the draft uses weasel words. What is a “reasonable failure to act”? I don’t even know how to measure the reasonableness of a failure to act because the decision not to do something is often not an intentional one (though it might sometimes be, of course)? And even if we know how to define it then, again, the reasonableness determination is likely a fact based question, making the failure to take action a litigation trap.
Even worse, however, is the relation of this provision to the countermeasures exclusion we just discussed. As structured the provisions create a damned if you do, damned if you don’t problem. You may NOT take countermeasures based on information you have monitored on your own system (or of another if you have their consent) – or rather you can, but you aren’t protected from liability if you do so. But if you gather information through monitoring (presumably this is “information received” under this title) and you DON’T act then you run the risk that your failure to act may deemed unreasonable. I wonder – would the decision NOT to act on information be reasonable if the reason an entity chose not to act was because if feared liability that might result from the collateral consequences of the countermeasures it might choose to use? Or is fear of liability “unreasonable”?
As I said, I am sure that some of these issues are just the product of the difficulty of drafting – and as to that I have real sympathy. You don’t know how hard it is to draft statutory language without ambiguity until you’ve tried.
But some of the choices here – the elimination of contractual obligations and the failure to protect the use of countermeasures – are quite obviously deliberate choices. We may reasonably ask if they are wise ones.