House votes to exempt cybersecurity plans from FOIA
Lansing — Information about private companies’ cybersecurity plans would be shielded from open records requests to state departments under legislation that overwhelmingly passed the House in bipartisan fashion Wednesday.
Most Republicans and Democrats voted for the bill, which passed l01-5. It would exempt information related to cybersecurity plans from Freedom of Information Act requests out of concern that companies’ private data could be breached if it were shared with State Police or other public agencies.
The bill now moves to the Senate for consideration. Supporters say it would strengthen the state’s fight against hackers.
But one of the House lawmakers who voted against it, Rep. Yousef Rabhi, D-Ann Arbor, said he’s skeptical whenever the state moves to exempt information from public purview.
Rabhi said citizens sometimes have a right to learn about a company’s security measures when it might directly impact them, such as in the event of a data breach. He also said transparency could potentially strengthen cybersecurity because it would extend an opportunity for ‘good’ hackers to point out vulnerabilities that could be fixed.
“Anytime we’re hiding information from the public I become very leery of that,” Rabhi said. “I set the bar very high in terms of the necessity of this, and this bill doesn’t meet that threshold for me.”
The Republican bill sponsor, Rep. Brandt Iden of Oshtemo Township, said he considers a company’s cybersecurity measures “proprietary” and that allowing that information to leak to potential hackers would make the State Police less effective at warding off cyberattacks.
State Police testified in a House committee hearing on the bill that private companies might be hesitant to provide any information to investigators after a hack out of concern that it could later be disclosed under open records requests.
That could make it harder for the state to develop robust plans aimed at fighting hackers, Iden said
No specific companies brought this to his attention, Iden said. The lawmaker said he worked directly with with State Police and Gov. Rick Snyder’s office on the bill. The Michigan Bankers Association and the Michigan Association of Counties also backed the bill.
State open records law exempts from disclosure any “records or information of measures designed to protect the security or safety of persons or property.” The legislation would specifically add “cybersecurity plans, assessments or vulnerabilities” to the list of shielded records.
“We don’t want the hackers to know what we’re up to,” Iden said. “We’ve got these plans that we’re putting in place to make sure that Michigan is preventing these attacks and if we let the enemy, if you will, know what we’re up to by being able to get that information, I think it prevents the state of Michigan from being able to combat these attacks if they know what we’re doing to defend ourselves.”