CYBER CIVILIAN CORPS ACT
House Bill 4508 (Proposed H-1 substitute)
Sponsor: Rep. Brandt Iden
Committee: Communications and Technology
Complete to 5-22-17
SUMMARY:
House Bill 4508 would create the Cyber Civilian Corps Act to establish the Michigan Cyber Civilian Corps program within the Department of Technology, Management, and Budget (DTMB).
The new act would allow the department to invite and appoint individuals to serve as Michigan Cyber Civilian Corps volunteers, and allow civilians with expertise in addressing cybersecurity incidents to volunteer and provide a rapid response and assistance to a municipal, educational, nonprofit, or business organization in need of expert assistance during a "cybersecurity incident."
"Cybersecurity incident" refers to an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on any of these. A cybersecurity incident includes, but is not limited to, the existence of a vulnerability in an information system, system security procedures, internal controls, or implementation that is subject to exploitation.
The department could provide appropriate training to prospective and existing volunteers, and could provide compensation for actual and necessary travel and subsistence expenses incurred by Michigan cyber civilian corps volunteers on a deployment at the discretion of the department.
Michigan Cyber Civilian Corps volunteer
A "Michigan Cyber Civilian Corps volunteer" refers to an individual who has entered into a volunteer agreement with the DTMB to serve as a volunteer in the corps. The department would enter into such a volunteer contract with any individual who wishes to accept an invitation to serve as a volunteer. At a minimum, the contract would have to include all of the following provisions:
· Acknowledging the confidentiality of information relating to this state, state residents, and clients. (Client refers to a municipal, educational, nonprofit, or business organization that has requested and is using the rapid response assistance of the civilian corps under the direction of the department.)
· Protecting from disclosure any confidential information of this state, state residents, or clients acquired by the volunteer through participation in the program.
· Requiring the volunteer to avoid conflicts of interest that might arise from a particular deployment; comply with all existing DTMB security policies and procedures regarding information technology resources; consent to background screening considered appropriate by the department under this act; and attest that he or she meets any standards of expertise that may be established by the department.
A Michigan Cyber Civilian Corps volunteer would not be classified as an agent, employee, or independent contractor of this state for any purpose and would have no authority to bind this state with regard to third parties. This state would also not be liable to a volunteer for personal injury or property damage suffered by volunteer through participation in the corps program.
Background check
When an individual accepts an invitation to serve as a volunteer, the department must request the Department of State Police to conduct a criminal records check through the Federal Bureau of Investigation and a criminal history check on the individual. The department shall make the request on a form and in the manner prescribed by the department of state police. The volunteer must give written consent, and submit fingerprints. The MSP must report results within a reasonable time and provide the results of the criminal records check from the FBI. The MSP may also charge the DTMB a fee for a criminal history check or a criminal records check that does not exceed the actual and reasonable cost of conducting the check.
Immunity from civil liability
Except as otherwise provided in the act, the DTMB and this state would be immune from tort liability for acts or omissions by a volunteer. In addition, also except as otherwise provided in the act, and without regard to discretionary or ministerial nature of the conduct of a volunteer, each volunteer would be immune from tort liability for an injury to a person or damage to property that occurred while deployed and acting on behalf of the DTMB, but only if all of the following are met:
· The volunteer is acting or reasonably believes that he or she is acting within the scope of his or her authority.
· The volunteer's conduct does not amount to gross negligence that is the proximate cause of the injury or damage. Gross negligence would mean conduct that is so reckless that it demonstrates a substantial lack of concern for whether an injury would occur.
· The volunteer's conduct is not a material breach of the volunteer agreement during that deployment.
If a claim is made or a civil or criminal action is commenced against a volunteer, and the above requirements are met, the DTMB could pay for, engage, or furnish the services of an attorney to advise the volunteer as to the claim and to appear for and represent the volunteer in the action. The DTMB could also compromise, settle, and pay a civil claim before or after the commencement of a civil action or for a judgment for damages, as well as indemnify the volunteer for a judgment. Furthermore, a volunteer could obtain reimbursement for legal expenses incurred stemming from a criminal action.
Deployment
On the occurrence of a cybersecurity incident that affects a client, the client may request DTMB to deploy one or more volunteers to provide rapid response assistance under the direction of the department. The department would have discretion to initiate deployment of volunteers upon the occurrence of a cybersecurity incident and the request of a client. The deployment of a volunteer to assist a client would be for seven days, unless the writing initiating the deployment contains a different period. At the direction of the department, the deployment of a volunteer could be extended in writing in the same manner as the initial deployment.
A volunteer would be able to decline to accept deployment for any reason. If a volunteer accepts deployment for a cybersecurity incident, acceptance would have be in writing.
To initiate the deployment of a volunteer for a cybersecurity incident, the department would indicate in writing that the volunteer is authorized to provide the assistance. A single writing could initiate the deployment of more than one volunteer. The department would also be required to maintain the writing for six years from the time of deployment or for the time required under the department's record retention policies, whichever is longer.
Advisory board
The Michigan Cyber Civilian Corps Advisory Board would be created as an advisory body within the department. The advisory board would be composed of the Adjutant General (National Guard), the director DTMB, the director of Michigan State Police, and the director of the Department of Talent and Economic Development (or their designees). The advisory board would also be responsible in reviewing and making recommendations to the STMB regarding the policies and procedures to be used in implementing this act.
Department responsibilities
After consultation with the advisory board, the DTMB's chief information officer would be required to approve the set of tools that the corps could use in response to a cybersecurity incident and to determine the standards of expertise necessary for an individual to become a member of the corps. (The "chief information officer" is defined in the bill the individual within the DTMB designated by the governor as the chief information officer for the state.)
Also after consultation with the advisory board, the department would be required to publish guidelines for the operation of the corps program. At a minimum, the published guidelines would have to include the following:
· An explanation of the standard use to determine whether an individual could serve as a volunteer and an explanation of the process by which an individual could become a volunteer.
· An explanation of the requirements imposed for a client to receive the assistance of the corps and an explanation of the process by which a client may request and receive assistance.
The DTMB would be the entity to enter into contracts with clients as a condition to providing assistance through the corps. The department could also establish a fee schedule for clients. The department may recoup expenses through the fees but may not generate a profit.
This act would take effect 90 days after the date it is enacted into law.
FISCAL IMPACT:
The bill would have an indeterminate, but likely minimal, direct fiscal impact to the DTMB. The department is already an administrator to the existing Michigan Cyber Civilian Corps (MiC3) and would not incur significant costs to expand the program as described in the bill. There would likely be costs related to training an increased number of volunteers; however, these costs could be offset by charging clients a fee, an option the bill provides.
The bill could help reduce future negative fiscal impacts to local governments and state agencies. While additional volunteer workers would not replace any current full-time worker equivalent costs, an expanded volunteer program could help reduce costs to the state by mitigating the need for additional cybersecurity staff as cyber threats increase. The bill could also reduce potential future costs by minimizing the impact to government organizations and the disruption of services following a cybersecurity incident through the deployment of trained volunteers.
Legislative Analyst: Emily S. Smith
Fiscal Analyst: Mike Cnossen
■ This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.