Liability concerns chill industry participation

No sooner did the new homeland security legislation cast aside — at least for now — concerns that sensitive information filtering through the Information Sharing and Analysis Centers could become public via the Freedom of Information Act (FOIA), than industry began fretting over a new concern: potential liability issues tied to interaction with the ISACs.

For example, what happens if a company, public utility or state government reports a potential vulnerability that is not acted on? If consequences ensue, who is at fault? Could the ISAC participant be held

liable, after making a good-faith effort to sound an industry alarm?

Liability questions such as these have waxed, as the once-prominent dialogue surrounding FOIA and data disclosure at the ISACs has waned.

"The Department of Homeland Security legislation gave us some relief from the FOIA problem, but not any kind of relief from the liability problem," said William Marlow, a Science Applications International Corp. vice president who led the design team that established the financial services ISAC in 1999. "We've got a double-edged sword, and we've now dulled one edge. We've got to fix the other."

Indeed, the Homeland Security Act of 2002 signed last November was mum on liability questions, though the new law did issue a blanket FOIA waiver to entities submitting information to the ISACs.

But even this FOIA relief could prove only temporary. Congressional members such as Sens. Patrick Leahy (D-Vt.) and Joe Lieberman (D-Conn.) have made it known that they are unhappy with the Bush administration's decision to "gut" FOIA and "ram through" FOIA exemptions the senators consider to be too broad, according to a statement Leahy issued in January.

Whether Leahy, Lieberman or any other lawmakers will move to undo the FOIA exemptions remains a concern in industry, despite the fact that Congress does not favor unraveling legislation that President Bush has already signed, sources said.

"When you have that kind of thing going on in the background, it gets sensitive every time you ask a [chief information officer] or [chief financial officer] to step out there and potentially take a risk," said Guy Copeland, a Computer Sciences Corp. vice president who sits on the board of directors for the information technology industry's ISAC.

While data disclosure risks may prove uncharted territory for company executives contemplating an ISAC alliance, liability risks are not. "There are always questions raised, and it gets back to whether we have undertaken all the steps we could," said Louis Leffler, manager of the electrical sector's ISAC.

Hence, liability questions are bound to arise, regardless of whether ISAC participation amounts to a window into a company's operations. "It is something people obviously have to consider from two or three aspects," Leffler said. "For instance, you've got to do risk analyses. But at the end of the day, someone might ask, 'Do you have 24-foot-high barbed wire fences around

facilities?' And though someone might ask that, it still might not have been the appropriate action to take."

Most ISAC members and potential members are in no way looking to shirk such accountability exercises. Yet still they are eager for statutes that would provide the comfort of a formal shield from liability-related litigation, many said.

In fact, the absence of such laws may prove an easy out for some companies contemplating joining an ISAC. "With corporate lawyers, the goal is often to keep something from happening," Copeland said. Therefore, liability jitters are one more reason ISAC officials have to overcome to convince prospective new members to join the centers and make the necessary investments.

However, the debate around ISACs and liability may be far from the level of maturity necessary to make possible any kind of legislative shield, noted industry watcher Lee Zeichner, president of LegalNetworks Inc. Is the government, ISAC or participating member "required to act once they are aware of something? These are thorny issues, but most have not been completely thought through," he said.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.