U.S. Reps. Tom Davis (R-Va.) and James Moran (D-Va.) last week introduced a bill, the Cyber Security Information Act of 2001, that would give companies and trade associations anonymity and protection against lawsuits when participating with the FBI and other government entities in hacker investigations.
Marketing and sales organizations have been leery of participating in such investigations for fear that confidential information—ranging from computer network data to customer lists and credit information—could be obtained by competitors, individuals or the media through the Freedom of Information Act (FOIA). The bill protects information from being shared through FOIA.
The bill has received support from such organizations as the U.S. Chamber of Commerce, Washington, which said the legislation would give companies the incentive to participate in government investigations of cyber attacks.
Protection from attack
Rick Lane, the U.S. Chamber’s director of e-commerce and Internet technology, called corporate computer information on customers, sales partners and network architecture "key business assets that must be protected from attack.’’
Coordinated investigative efforts between public and private organizations are required to safeguard such key industries as energy, banking and travel, Lane said.
Direct marketers have been seeking legislation of this kind, said Ben Isaacson, executive director of the Association for Interactive Media, a subsidiary of the Direct Marketing Association, New York.
User agreements among direct marketers and customers often prohibit marketers from divulging information to third parties, Isaacson said. The bill would likely allow companies to supersede those policies when queried by federal investigators without rewriting every customer agreement, he said.
"Today, it is often a violation of the customer contract to participate in an investigation without a search warrant,’’ he said.
The majority of cyber attacks today on marketing organizations come from outside the U.S., so federal powers are necessary to chase frauds, Isaacson said. "In essence, the only way to go after international hackers is on a federal level," he said. "This really is becoming an issue of national security.’’
Not everyone is convinced the Cyber Security Information Act of 2001 makes sense.
Jim Dempsey, deputy director of the Center for Democracy and Technology, Washington, said protections given to corporations are too broad. By shielding companies against FOIA inquiries, the legislation will make it difficult or impossible for the public to learn of federal investigations into cyber security, he said.
"There’s a public interest [in] whether the government is responding properly to cyber security investigations and how the government is conducting those investigations,’’ Dempsey said. "By reducing public accountability, this bill discourages responsible government action.’’
The approach of the bill is similar to that of legislation that limited corporate liability for the Year 2000 computer virus.
The bill appears to be on a fast track. It currently is before the Government Reform Committee and will be the subject of hearings prior to the congressional recess in August. Davis said he hopes to bring the bill to the House floor before the end of 2001.
Sen. Robert Bennett (R-Utah) said he will introduce similar legislation in the Senate.