During the 2021 legislative session, the Georgia Assembly passed two bills related to cybersecurity that warrant some discussion and analysis.
HB 134 (https://www.legis.ga.gov/legislation/59005) is sitting on Governor Kemp’s desk and has not yet been signed into law. The bill is designed to carve out exemptions from open meeting requirements and public records requests related to cybersecurity contracting and planning. Specifically, HB 134 amends subsection (b) of Chapter 14 of Title 50 of the Official Code of Georgia Annotated (OCGA) (Code SEction 50-14-3) by adding a new section 5, which reads as follows:
Meetings when discussing or deliberating upon cybersecurity plans, procedures, and contracts regarding the provision of cybersecurity services. No vote in executive session to enter into a cybersecurity contract shall be binding on an agency until a subsequent vote is taken in an open meeting where the identity of the contractor and the terms of the agreement that are not subject to paragraph (25) of subsection (a) of Code Section 50-18-72 are disclosed before the vote.”
Additionally, HB 134 amends subparagraph (A) of paragraph (25) of subsection (a) of Article 4 of Chapter 18 of Title 50 of the OCGA by adding a new section v, which reads as follows:
Any document or plan for protection relating to the existence, nature, location, or function of cybersecurity devices, programs, or systems designed to protect computer, information technology, or communication systems against terrorist or other attacks that depend for their effectiveness in whole or in part upon a lack of general public knowledge;
Striking an appropriate balance between a citizen’s right to know and the government taking prudent steps to protect computing infrastructure is a difficult exercise on the best of days. No reasonable person will argue that the government does not have a compelling interest in keeping certain operational aspects of their operations away from public eyes. It appears that this bill is an attempt to do just that.
Unfortunately, in my analysis of the language present in this bill and considering the behavior of local governments in the aftermath of recent cybersecurity incidents (namely the City of Atlanta ransomware attack and the SolarWinds breach), this bill swings too far in the direction of keeping details from citizens and would allow government officials to effectively keep all cybersecurity-related details from public examination and citizen overview.
I believe Governor Kemp should veto this bill, and that he should ask the Georgia Assembly to send him a bill that uses more tailored, nuanced language that would greatly narrow the size of the exemption being asked for. This bill as currently written is simply too vague and easily abused by governments as an excuse to avoid talking about cybersecurity-related matters completely.
Governor Kemp signed HB 156 (https://www.legis.ga.gov/legislation/59069) into law on March 25th and went into immediate effect.
HB 156 added two new code sections to the OCGA (38-3-22.2 and 38-3-22.3), but it’s section 38-3-22-2 that is problematic. This new code section requires government agencies and utilities to:
report to the director of emergency management and homeland security, or his or her designee, any cyber attack incident, data breach, or identified use of malware on an agency or computer or network determined by the director to be the type of cyber attack, data breach, or use of malware to create a life-safety event, substantially impact the security of data and information systems, or affect critical systems, equipment, or service delivery.
So far, so good. This language is similar to efforts on the federal level and is appropriately tailored to be effective without broad overreach.
Unfortunately, section (d) exempts any reports or records created in response to this code section from disclosure:
Any reports or records produced pursuant to this Code section shall not be subject to public inspection or disclosure under Article 4 of Chapter 18 of Title 50.
I have the same concerns about the public examination and citizen overview here as I did above. Unfortunately, this is already law in the state of Georgia, so the only path forward is to work with legislators to craft legislation in the next session to address these concerns.