The recently-introduced Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT), HR 1468, includes a “technical amendment” that actually would be one of the most far-reaching substantive changes to the Freedom of Information Act’s (FOIA) exemptions since 1986.
Similar to a dangerous provision that was included in the version of the bill introduced in the Senate during the last Congress, Section 107 of SECURE IT creates a new exemption to the FOIA that gives the government the authority to withhold information shared with or to the cybersecurity centers created by the bill. The bill also includes troubling language that defines any information shared with the cybersecurity centers as “voluntarily shared information” that is exempt under the FOIA and preempts any State, tribal, or local law requiring disclosure of information or records, and — in case anyone was still confused about the bill’s position on public disclosure — creates a new FOIA b(3) exemption for the information.
While the anti-right-to-know language in SECURE IT is particularly bad, the provision is notably similar to cybersecurity bills like CISPA that attempt to encourage companies to share information with the federal government by giving them broad assurances that nothing they share will ever be released to the public. This approach is bad public policy: it ignores that most of the truly sensitive information companies are likely to share is already exempt under the FOIA and does not include a mechanism to weigh the public interest in disclosure of the information. Some of the information that may be shared under the bill — and therefore exempt from disclosure — could be critical for the public to ensure its safety
If the federal government really needs expanded authority to withhold information under the FOIA in order to persuade companies to share cybersecurity information, the issue should be addressed by Committee’s that have expertise on public access issues: the House Oversight and Government Reform Committee and Senate Judiciary. Any amendment to the FOIA, especially an amendment of this scope, should begin with careful consideration and public hearings by those Committees. It should not be a dangerously broad provision tucked into a large bill and disguised as a “technical amendment.”