EXEMPT CERTAIN ELECTRONIC

INFORMATION FROM FOIA

House Bill 4973 as introduced

Sponsor:  Rep. Brandt Iden

Committee:  Communications and Technology

Complete to 10-9-17

SUMMARY:

House Bill 4973 would amend the Freedom of Information Act (FOIA) to exempt certain electronic data related to cybersecurity measures from disclosure to the public.

Currently, Section 13(1)(y) of FOIA exempts “records or information of measures designed to protect the security or safety of persons or property” from being disclosed to the public. The bill would amend this to add, “or the confidentiality, integrity, or availability of information systems.”  The bill would also add that these systems could include, but are not limited to, “cybersecurity plans, assessments, or vulnerabilities.”

The bill would also amend Section 13(1) by adding subdivision (z) to exempt information that would identify or provide a means of identifying a person that may, as a result of disclosure, become a victim of a cybersecurity incident. Information that would disclose a person’s cybersecurity plans or other related practices, procedures, methods, results, organizational information system infrastructure, hardware, or software would also be exempt.

The bill would further add that both the exemptions above would not apply to information submitted as required by law or as a condition to receiving a governmental contract, license, or other benefit.

HB 4973 would add the following definitions:

·         Cybersecurity assessment would mean an investigation undertaken by a person, governmental body, or other entity to identify vulnerabilities in cybersecurity plans.

·         Cybersecurity incident would include, but not be limited to:

o   A computer network intrusion or attempted intrusion;

o   A breach of primary computer network controls;

o   Unauthorized access to programs, data, or information contained in a computer system;

o   Or actions by a third party that materially affect component performance or, because of impact to component systems, prevent normal computer system activities.

·         Cybersecurity plan would include, but not be limited to, information about a person’s information systems, network security, encryption, network mapping, access control, passwords, authentication practices, computer hardware or software, or response to cybersecurity incidents.

·         Cybersecurity vulnerability would mean a deficiency within computer hardware or software, or within a computer network or information system, that could be exploited by unauthorized parties for use against an individual computer user or a computer network or information system.

The bill would also add to the definition of “Writing” to include hard drives and solid state storage components as a mean of recording or retaining meaningful content.

Finally, the bill would make stylistic and linguistic changes throughout FOIA to update references and clarify wording.  

MCL 15.232, MCL 15.243

FISCAL IMPACT:

The bill would have no direct fiscal impact to the State or local governments.

The bill could result in potential cost savings to the State and local governments if the exemption of the types of information specified in the bill were to indeed prevent a cyber security breach. As a general reference, the 2017 Ponemon Cost of Data Breach Study reports that the global average cost of a data breach is $3.6 million and the average cost for each lost or stolen record containing sensitive and confidential information is $141.

                                                                                        Legislative Analyst:   Emily S. Smith

                                                                                                Fiscal Analyst:   Michael Cnossen

This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.