LANSING, Mich. — Cybersecurity plans and vulnerabilities would be exempt from open-records requests under legislation approved by Michigan lawmakers Tuesday.
House members sent the bill to Gov. Rick Snyder in a 104-4 vote, paving the way for the state to block cybersecurity information shared with Michigan State Police and other public bodies. Supporters of the exclusion said without it companies might be reluctant to cooperate with officials in the event of a security breach due to fear of sensitive information being released under the Freedom of Information Act.
Snyder spokeswoman Tanya Baker said in a statement that the governor looks forward to reviewing the final bill.
“Given his private sector background, he understands better than most how the protection of private and sensitive computer data is critical to effectively combatting cybersecurity incidents,” Baker said.
Rep. Brandt Iden spearheaded the endeavor as part of a package of cybersecurity reforms being wrung out by the Legislature and the governor’s office.
“We’ve been working to ensure that Michigan is number one when it comes to cybersecurity,” said the Republican from Oshtemo. “That other states, when they look at how to do cybersecurity, they look at Michigan.”
Under current law, Michigan is already required to shield information “designed to protect the security or safety of persons or property” from disclosure. Topics under this new exemption include cybersecurity assessments, plans, and past and ongoing breaches.
Iden said Michigan State Police, which endorsed the bill, testified that they have had specific issues with companies in sharing information during a potential hack. The exemption is intended to reassure individuals with data entrusted to these companies and would apply to public agencies subject to FOIAs as well.
The immunity also applies to any requests that could trigger a future security breach — a provision met with backlash from the Michigan Press Association, which advocates for press freedom.
The group previously voiced concern to legislators that the potential law allows for excessive exemption-taking, said association public affairs manager Lisa McGraw.
Because the designation of what constitutes as “risky information” falls under discretion of state agencies, she said, the association believes there is room for government emails to be precluded from public record.
“We understand the need for cybersecurity, but we are always concerned when you exempt things from FOIA,” McGraw said. “FOIA should be across the board and uniform as possible.”
McGraw also cited concern that the bill allows for censorship of data breaches relevant to public interest.
“If there’s a breach, we should be aware because it’s our information, too,” she said. “Always at the crux of FOIA is that taxpayers are paying for this information.”
Iden said agencies will maintain disclosure of any information relevant to public interest, and that the purpose of Tuesday’s legislation was to promise companies that sensitive information would not be released to the public.