A new piece of bipartisan legislation—the “Enhancing Grid Security through Public-Private Partnerships Act” (HR 5240)—was reported out of the House Energy and Commerce Committee on May 9. This bill, introduced by Jerry McNerney (D-CA) and Bob Latta (R-OH), attempts to encourage robust information sharing concerning cyber and physical vulnerabilities of the electric grid and best practices among industry participants and with the federal government by providing protections for the shared information. To serve this purpose effectively and thereby improve the security of the nation’s electric grid, and to be politically acceptable, the bill requires significant changes. The provision of a limited confidentiality privilege for information provided to the federal government, in order to encourage robust information sharing on existing vulnerabilities critical to improving security, has been done before in the Highway Safety Act. Following that model here could help the electricity industry and the federal government, working together, to better protect the country.
The sharing of materials addressing identified vulnerabilities raises different issues than the data privacy issues raised and attempted to be addressed by the Cybersecurity Information Sharing Act of 2015 (“CISA”); those issues, and the question of whether CISA is so freighted by privacy concerns that it fails to adequately protect internet security (which is essential to the protection of privacy), are beyond the scope of this piece.
HR 5240 provides that “Information provided to, or collected by, the Federal Government pursuant to this section … shall not be made available by any Federal, State, political subdivision or tribal authority pursuant to any … law requiring public disclosure of information or records.” The evident purpose is to allow public utility companies to provide robust sharing of information relevant to the physical and cyber security of electric utilities. The measure would apply both before and after an incident. Protecting information before any incident is essential to ensure that the information shared by utilities does not become a roadmap for the very kinds of attacks that the legislation is supposed to assist in preventing. Protecting information after an incident is also important, in order to prevent the information gathered before an incident from becoming a weapon in litigation against the utilities for failure to address a known vulnerability, and for that reason discouraging the robust sharing of information.
As written, the legislation could fail to accomplish its evident and valuable purpose. Among the reasons for this potential failure is that the information to be protected is that “provided to, or collected by, the Federal Government pursuant to this section” (emphasis added) – but the bill does not actually provide for the provision to or collection by the Federal Government of anything. It would be risky to rely on the overarching and stated purpose of the bill here because provisions like this one are to be construed narrowly. “A statute granting a privilege is to be strictly construed so as ‘to avoid a construction that would suppress otherwise competent evidence,’” the Supreme Court stated in Pierce County v. Guillen, 537 US 129 (2003). It is simply not enough to assume that Congress intends there to be robust sharing with the Department of Energy; the section as written simply fails to provide for such sharing, and so the protection afforded could easily be illusory.
Another reason for the potential failure of the legislation to accomplish its evident purpose is that the “protection of information” language is only protection against required disclosure under the Freedom of Information Act and against any disclosure by “any Federal, State, political subdivision or tribal authority pursuant to any Federal, State, political subdivision, or tribal law requiring public disclosure of information or records.” This language might be broad enough to cover compelled public disclosure in the course of litigation, but it might not be broad enough to prevent disclosure to litigants under seal, and it is certainly not broad enough to prevent the use of leaked information in any legal action.
I do not believe that it would be difficult to develop a fix to the language to ensure that the statute would actually create a privilege on which the utility industry could rely. But as written, there is an unacceptable risk that any protection would be illusory.
The basic idea of creating a privilege for cybersecurity related information has been quite controversial, largely because there is a concern that a privilege would reduce the incentive to provide for good cybersecurity, resulting in diminished accountability and diminished protection. To be sure, it would be possible to interpret the privilege that HR 5240 seems intended to create broadly, effectively immunizing from production all information provided to or collected by the Federal Government relating to cyber security or physical security, whether that information would have existed in the absence of HR 5240 or not. Such an interpretation, however, probably would doom HR 5240 to political defeat.
The Supreme Court’s opinion in Pierce County v. Guillen points to a different approach, one that would not amount to any reduction in the accountability of utilities but that would better advance the information-sharing purposes of the current proposals. The Pierce County decision involved section 152 of the Highway Safety Act of 1966, a program to help states reduce highway and other road hazards at the most dangerous locations. In order to qualify for the financial assistance that the program offered, the states would have to comprehensively assess their public roads. Because of concerns that the efforts to identify particularly hazardous roads would increase the risk of liability for accidents that took place at such locations before the hazards could be addressed, the states were reluctant to carry out those assessments. Congress responded by enacting a provision providing that
reports, surveys, schedules, lists, or data compiled for the purpose of identifying[,] evaluating, or planning the safety enhancement of potential accident sites, hazardous roadway conditions, … pursuant to section … 152 … or for the purpose of developing any highway safety construction improvement project which may be implemented utilizing Federal-aid highway funds shall not be admitted into evidence in Federal or State court or considered for other purposes in any action for damages arising from any occurrence at a location mentioned or addressed in such reports, surveys, schedules, lists, or data. (emphasis added)
This provision, enacted in 1987, was amended in 1991 to be made applicable explicitly to pre-trial discovery, and then again in 1995 to expand the privilege to reports and other materials “collected” as well as to such materials “compiled.” Importantly, the provision clearly creates a privilege with respect to the use of the materials in any federal or state court, and not just protection against the public disclosure of the materials.
The Court held that the statute covered only those documents compiled by the agency responsible for section 152 and those documents collected by that agency in the possession of that agency, but that the statute provided no protection to documents compiled or collected by some other agency for some other purpose in the possession of some other agency. The Court adopted this interpretation to be as narrow as possible (because “statutes establishing evidentiary privileges must be construed narrowly because privileges impede the search for the truth”), while giving full effect to the 1995 amendment that added “collected.”
This construction left potential plaintiffs no worse off than if the section 152 program had not been enacted, and it did not increase the risks of liability to the states as a result of availing themselves of the section 152 program. As the Court explained, Congress made it clear that section 152 “was not intended to be an effort-free tool in litigation against states and local governments;” plaintiffs would continue to have to do the hard work of finding relevant evidence on their own without the benefit of having a central repository of relevant information from which they could get evidence.
This balanced outcome is a potential model for provisions like HR 5240, intended to foster robust communication about cyber and physical risks, to better facilitate the mitigation of such risks, and to do so without reducing the existing level of accountability. Combining the kind of evidentiary privilege created by the Highway Safety Act with the public disclosure protections of HR 5240 would address the barriers to the kind of robust sharing of information on vulnerabilities that is so critical to an effective national effort to address security concerns about the electric grid.
The Court’s (unanimous) opinion in Pierce County points the way toward a modest redraft of HR 5240 that would encourage robust sharing, without reducing a utility’s existing exposure to liability. That there is a well-established precedent for creating a privilege to facilitate robust information sharing should help to overcome political objections. The robust information sharing this approach would encourage should result in increased levels of protection of the critical infrastructure operated by our nation’s electric utilities. This is not simply a balance between two objectives—the utilities’ exposure to liability vs increased protection for the grid. Instead, the Pierce County solution removes a significant disincentive to utilities sharing information on identified vulnerabilities. It bolsters the national security benefits that HR 5240 is meant to achieve.