By Sarah Brewerton-Palmer and Nneka I. Ewulonu
Proposed legislation would limit Georgians’ right to know about cybersecurity activities and incidents.
Georgia lawmakers are taking swift action on cybersecurity bills with open government implications. The Georgia First Amendment Foundation stated our opposition to these bills, which we believe would limit visibility into what government agencies at all levels are doing. We also contend that existing laws provide the exceptions government officials need to protect against cyberattacks.
Nonetheless, lawmakers from both parties are resoundingly behind the proposals. Both bills passed the House with 0 nays. One measure, House Bill 156, already has passed both chambers. The pace is troubling.
Proponents of these bills say they would make Georgians — and the government technology systems we all rely on — more secure. But dig into the details, and it’s clear that these protections would come at the expense of Georgians’ right to know. Protecting government agencies against cyberattacks is important and requires some secrecy, but the foundation is concerned that these bills are an unnecessary departure from the principles of open government. They give public institutions broad leeway to close meetings or shield records.
Proposals would erode the public’s right to know
HB 156 requires public agencies and utility companies to report cyberattacks and data breaches to homeland security and emergency management officials. The bill further provides that “[a]ny reports or records produced pursuant to this code section shall not be subject to public inspection or disclosure” under the Georgia Open Records Act.
House Bill 134 would allow government agencies to close meetings “when discussing or deliberating upon cybersecurity plans, procedures, and contracts regarding the provision of cybersecurity services.” While the identity of the contractor and terms of the agreement must be disclosed in a public meeting before voting to approve a cybersecurity contract, the proposed legislation would permit the government to hide all other discussions involving cybersecurity.
The bill would also exempt from the Open Records Act “[a]ny document or plan for protection relating to the existence, nature, location, or function of cybersecurity devices, programs, or systems designed to protect computer, information technology, or communications systems against terrorist or other attacks.”
That sweeping language has the potential to hide information about how governments pay for or manage computer networks — information that might not be directly related to combating cyberattacks. Taken to the extreme, it could allow government agencies to keep information about data breaches secret — even if the cause is public officials’ incompetence or malfeasance.
The foundation sees three major problems with HB 134. First, it does not sufficiently define the type of cybersecurity discussion that would qualify for public officials to go into executive session behind closed doors. Second, it would shield from the public essentially any record that touches upon cybersecurity — regardless of whether disclosure of the record would harm cybersecurity efforts. Third, its secretive provisions simply are not necessary. Georgia’s existing Sunshine Laws already allow officials to shield public records related to “[s]ecurity plans and vulnerability assessments for … technology infrastructure” where the disclosure of the requested records would compromise security (O.C.G.A. § 50-18-72(25)(A)(i)).
Without appropriate limitations, HB 134 would weaken the spirit and purpose of our state’s Open Meetings Act and Open Records Act.
Lawmakers can balance cybersecurity and transparency
The foundation recommends that lawmakers amend HB 134’s provisions related to closed meetings and public records to allow for secrecy only when necessary to provide essential cybersecurity protection. Specifically, lawmakers should amend the bill to make it consistent with existing open records laws, allowing meetings to be closed or public records to be withheld only when the disclosure of those deliberations or records “would compromise security against sabotage or criminal or terrorist acts” and when the secrecy of those deliberations or records “is necessary for the protection of life, safety, or public property.”
Changing House Bill 156 is more complicated because the bill already has passed both the House and Senate and soon will head to Gov. Brian Kemp for his signature. But the law could be improved in a future General Assembly session to shield from the public only narrow, relevant portions of public records that could “compromise security against sabotage or criminal or terrorist acts.”
These immediate amendments to HB 134 and future improvements to HB 156 would better protect Georgians’ right to know, while also protecting our government agencies against cyberattacks.
Lawmakers — and especially the Georgians they represent — should pause to grasp the consequences of allowing these bills to become law in their current forms. These measures attempt to increase our security by limiting our understanding of what our government is doing. Does that really make us safer?
Sarah Brewerton-Palmer, a foundation board member and chair of GFAF’s Legislative Committee, is an attorney at Caplan Cobb in Atlanta.
Nneka I. Ewulonu is a third-year student at the University of Georgia School of Law.
Photo courtesy of Ross Williams/Georgia Recorder