Liability concerns chill industry participation
Industry is fretting potential liability issues tied to interaction with the ISACs
No sooner did the new homeland security legislation cast aside — at least for now — concerns that sensitive information filtering through the Information Sharing and Analysis Centers could become public via the Freedom of Information Act (FOIA), than industry began fretting over a new concern: potential liability issues tied to interaction with the ISACs.
For example, what happens if a company, public utility or state government reports a potential vulnerability that is not acted on? If consequences ensue, who is at fault? Could the ISAC participant be held
liable, after making a good-faith effort to sound an industry alarm?
Liability questions such as these have waxed, as the once-prominent dialogue surrounding FOIA and data disclosure at the ISACs has waned.
"The Department of Homeland Security legislation gave us some relief from the FOIA problem, but not any kind of relief from the liability problem," said William Marlow, a Science Applications International Corp. vice president who led the design team that established the financial services ISAC in 1999. "We've got a double-edged sword, and we've now dulled one edge. We've got to fix the other."
Indeed, the Homeland Security Act of 2002 signed last November was mum on liability questions, though the new law did issue a blanket FOIA waiver to entities submitting information to the ISACs.
But even this FOIA relief could prove only temporary. Congressional members such as Sens. Patrick Leahy (D-Vt.) and Joe Lieberman (D-Conn.) have made it known that they are unhappy with the Bush administration's decision to "gut" FOIA and "ram through" FOIA exemptions the senators consider to be too broad, according to a statement Leahy issued in January.
Whether Leahy, Lieberman or any other lawmakers will move to undo the FOIA exemptions remains a concern in industry, despite the fact that Congress does not favor unraveling legislation that President Bush has already signed, sources said.
"When you have that kind of thing going on in the background, it gets sensitive every time you ask a [chief information officer] or [chief financial officer] to step out there and potentially take a risk," said Guy Copeland, a Computer Sciences Corp. vice president who sits on the board of directors for the information technology industry's ISAC.
While data disclosure risks may prove uncharted territory for company executives contemplating an ISAC alliance, liability risks are not. "There are always questions raised, and it gets back to whether we have undertaken all the steps we could," said Louis Leffler, manager of the electrical sector's ISAC.
Hence, liability questions are bound to arise, regardless of whether ISAC participation amounts to a window into a company's operations. "It is something people obviously have to consider from two or three aspects," Leffler said. "For instance, you've got to do risk analyses. But at the end of the day, someone might ask, 'Do you have 24-foot-high barbed wire fences around
facilities?' And though someone might ask that, it still might not have been the appropriate action to take."
Most ISAC members and potential members are in no way looking to shirk such accountability exercises. Yet still they are eager for statutes that would provide the comfort of a formal shield from liability-related litigation, many said.
In fact, the absence of such laws may prove an easy out for some companies contemplating joining an ISAC. "With corporate lawyers, the goal is often to keep something from happening," Copeland said. Therefore, liability jitters are one more reason ISAC officials have to overcome to convince prospective new members to join the centers and make the necessary investments.
However, the debate around ISACs and liability may be far from the level of maturity necessary to make possible any kind of legislative shield, noted industry watcher Lee Zeichner, president of LegalNetworks Inc. Is the government, ISAC or participating member "required to act once they are aware of something? These are thorny issues, but most have not been completely thought through," he said.
NEXT STORY: Matthews named Transportation CIO