The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT)—first introduced in 2012 by US Representative Mary Bono Mack (R-California) and reintroduced in 2013 by US Representative Marsha Blackburn (R-Tennessee) includes a very disturbing technical amendment that would create a new exemption to the Freedom of Information Act (FOIA).
Section 107 of the technical amendments would allow the government to withhold information shared with the cybersecurity centers created by the proposed legislation.
Additionally, language in the proposed legislation appears to define any information shared with the cybersecurity centers as “voluntarily shared information” and therefore exempt from FOIA. The language specifically preempts any state, local, or tribal law from requiring FOIA disclosure by actually creating a new FOIA (b)(3) exemption for the shared information.
The proposed legislation’s language is consistent with similar proposals such as the Cyber Intelligence Sharing and Protection Act (CISPA). The intent is to encourage corporations to share information with the government by giving them overly broad protections regarding the public release of the information they provide. What few realize is that really, truly sensitive corporate information already enjoys FOIA exemption under one or more of the existing nine FOIA exemptions:
- Exemption 1: Information that is classified to protect national security and classified under an Executive Order.
- Exemption 2: Information related solely to the internal personnel rules and practices of an agency.
- Exemption 3: Information that is prohibited from disclosure by another federal law.
- Exemption 4: Information regarding business trade secrets or other confidential commercial or financial information.
- Exemption 5: Information that concerns communications within or between agencies which are protected by legal privilege (e.g., attorney-work product, attorney-client, deliberative process).
- Exemption 6: Information that, if disclosed, would invade another individual’s personal privacy.
- Exemption 7: Law enforcement information if one of the following harms would occur:
- 7(A). Could reasonably be expected to interfere with enforcement proceedings.
- 7(B). Would deprive a person of a right to a fair trial.
- 7(C). Could reasonably be expected to constitute an unwarranted invasion of personal privacy.
- 7(D). Could reasonably be expected to disclose the identity of a confidential source.
- 7(E). Would disclose techniques and procedures for law enforcement investigations or prosecutions.
- 7(F). Could reasonably be expected to endanger the life or physical safety of any individual.
Because the various FOIA exemptions are adequate, any move to broaden the existing exemptions or add new ones without considering the public interest is simply bad public policy.