Gus Coldebella, former Deputy General Counsel (and Acting General Counsel) for DHS and now a partner at Goodwin Proctor write in with this addition comment on the liability provisions of the Lieberman-Collins bill [I added the hyperlink to my prior post]:
I just read your very good post on questions around the liability protection provisions of the revised Lieberman-Collins bill. I’d make one addition: 706(d) is also potentially troublesome. Here’s why: Since info sharing is intended to be a voluntary system—i.e., nothing in the law requires private-sector entities to pass along “cybersecurity threat indicators”—there should not be a cause of action against private sector entities for “failure to disclose” CTI. But 706(d) purports to limit a cause of action for “failure to disclose” CTI—though such a cause of action shouldn’t exist. So what gives?
One possible explanation is that 706(d) is designed to prevent liability for the federal government’s “Lead Federal Civilian Cybersecurity Exchange”—created in 703(c)—if it doesn’t do what it is supposed to, which is to “distribute, in as close to real time as possible . . . cybersecurity threat indicators. . . .” Since 704(g)(7) creates liability for the federal government’s intentional or willful violation of the title, such liability might include the failure of the LFCCE to “distribute in real time.” And 706(d) might have been intended to prevent such liability if there’s a good law enforcement, intelligence, or homeland security reason for not distributing in real time. (That this may have been the drafters’ intention is supported by the section’s title: “Delay In Notification Authorized For Law Enforcement, National Security, or Homeland Security Purposes.”)
But that’s not what 706(d) does. Instead, it leaves the impression that there is a separate, free-standing “cause of action . . . against any entity . . . for a failure to disclose a cybersecurity threat indicator.”
This is a problem. You can easily imagine a plaintiff’s lawyer employing 706(d) to seek damages against a participating private sector entity that had, but did not disclose, CTI—alleging disclosure of that CTI would have prevented the plaintiff’s loss. That 706(d) even raises the possibility of such a lawsuit could turn out to be a major disincentive to participation, potentially diminishing the program’s usefulness.
Recommendation: The drafters should figure out what 706(d) was intended to do. If it’s as I described above, 706(d) should be rewritten for clarity and moved to 704(g), to make it clear that (i) the only entity with a positive obligation to share CTI is the LFCCE, and (ii) the LFCCE can’t be sued if it doesn’t distribute CTI when there’s a good reason under the statute to not do so.