CYBER CIVILIAN CORPS PROGRAM                                                         H.B. 4508 (H-1):

                                                                               SUMMARY OF HOUSE-PASSED BILL

                                                                                                         IN COMMITTEE

 

 

 

 

 

 

 

House Bill 4508 (Substitute H-1 as passed by the House)

Sponsor:  Representative Brandt Iden

House Committee:  Communications and Technology

Senate Committee:  Energy and Technology

 

Date Completed:  9-7-17

 

CONTENT

 

The bill would create the "Cyber Civilian Corps Act" to do the following:

 

--    Establish the Michigan Cyber Civilian Corps program within the Department of Technology, Management, and Budget (DTMB).

--    Allow the DTMB to invite and appoint individuals with expertise in addressing cybersecurity incidents to serve as Michigan Cyber Civilian Corps volunteers who would provide response and assistance during such incidents.

--    Require all volunteers to consent to a criminal history check and a criminal records check.

--    Prescribe the manner in which the DTMB would deploy volunteers to respond to cybersecurity incidents upon the request of clients.

--    Allow the DTMB to charge clients a fee.

--    Create an advisory board to review and make recommendations to the DTMB.

--    Provide that a volunteer would be immune from tort liability while deployed, if certain conditions were met, and the State would be immune from liability for the acts or omissions of a volunteer.

 

The bill would take effect 90 days after it was enacted.

 

Definitions

 

"Michigan cyber civilian corps" would mean a program under which civilian volunteers who have expertise in addressing cybersecurity incidents may volunteer at the invitation of the DTMB to provide rapid response assistance to a municipal, educational, nonprofit, or business organization in need of expert assistance during a cybersecurity incident.

 

"Client" would mean a municipal, educational, nonprofit, or business organization that has requested and is using the rapid response assistance of the Michigan Cyber Civilian Corps under the direction of the DTMB.

 

"Cybersecurity incident" would mean an event occurring on or conducted through a computer network that actually or imminently jeopardized the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on any of these. Cybersecurity incident would include, but not be limited to, the existence of a vulnerability in an information system, system security procedures, internal controls, or implementation that is subject to exploitation.

 

 

Volunteers

 

The Department could appoint individuals to serve as Michigan Cyber Civilian Corps volunteers for the purposes of facilitating the responsibilities of the DTMB.

 

The Department would have to enter into a contract with any individual who wished to accept an invitation to serve as a Michigan Cyber Civilian Corps volunteer. The contract would have to include, at a minimum, all of the following:

 

--    A provision acknowledging the confidentiality of information relating to Michigan, Michigan residents, and clients.

--    A provision protecting from disclosure any confidential information of Michigan, Michigan residents, or clients acquired by the volunteer through participation in the Michigan Cyber Civilian Corps.

--    A provision requiring the volunteer to avoid conflicts of interest that could arise from a particular deployment.

--    A provision requiring the volunteer to comply with all existing DTMB security policies and procedures regarding information technology resources.

--    A provision requiring the volunteer to consent to a background screening considered appropriate by the DTMB, and a section in which the individual consented to a criminal history check and a criminal records check (as described below).

--    A provision requiring the volunteer to attest that he or she met any standards of expertise that could be established by the DTMB.

 

Background Check

 

When an individual accepted an invitation to serve as a Michigan Cyber Civilian Corps volunteer, the DTMB would have to request the Michigan Department of State Police (MSP) to do the following:

 

--    Conduct a criminal history check on the individual.

--    Conduct a criminal records check through the Federal Bureau of Investigation (FBI) on the individual.

 

An individual who accepted an invitation to the Michigan Cyber Civilian Corps would have to give written consent in the volunteer agreement for the MSP to conduct the required criminal history check and criminal records check. The DTMB would have to require the individual to submit his or her fingerprints to the MSP and the FBI for the criminal records check.

 

The DTMB would have to request a criminal history check and criminal records check on all individuals who wished to participate as Michigan Cyber Civilian Corps volunteers. The Department would have to make the request on a form and in a manner prescribed by the MSP.

 

Within a reasonable time after receiving a complete request by the DTMB for a criminal history check and a criminal records check on an individual, the MSP would have to conduct the criminal history check and provide a report of the results to the DTMB. The report would have to contain any criminal history record information on the individual maintained by the MSP.

 

Within a reasonable time after receiving a proper request by the DTMB for a criminal records check on an individual, the MSP would have to initiate the criminal records check. After receiving the results of the check from the FBI, the MSP would have to provide a report of the results to the DTMB.

 

The Department of State Police could charge the DTMB a fee for a criminal history check or a criminal records check that could not exceed the actual and reasonable cost of conducting the check.

 

Immunity from Liability

 

A Michigan Cyber Civilian Corps volunteer would not be an agent, employee, or independent contractor for the State for any purpose and would have no authority to bind the State with regard to third parties.

 

The State would not be liable to a Michigan Cyber Civilian Corps volunteer for personal injury or property damage he or she suffered through participation in the Michigan Cyber Civilian Corps.

 

Except as otherwise provided, the DTMB and the State would be immune from tort liability for acts or omissions by a Michigan Cyber Civilian Corps volunteer.

 

Except as otherwise provided, and without regard to the discretionary or ministerial nature of the conduct of a Michigan Cyber Civilian Corps volunteer, each volunteer would be immune from tort liability for an injury to a person or damage to property that occurred while deployed and acting on behalf of the DTMB if all of the following were met:

 

--    The volunteer was acting or reasonably believed that he or she was acting within the scope of his or her authority.

--    The volunteer's conduct did not amount to gross negligence that was the proximate cause of the injury or damage.

--    The volunteer's conduct was not a material breach of the volunteer agreement during the deployment.

 

("Gross negligence" would mean conduct so reckless as to demonstrate a substantial lack of concern for whether an injury results.)

 

If a claim were made or a civil action were commenced against a Michigan Cyber Civilian Corps volunteer for injuries to people or property caused by negligence of a volunteer that occurred while in the course of his or her deployment on behalf of the DTMB and while acting within the scope of his or her authority, the DTMB could pay for, engage, or furnish the services of an attorney to advise the volunteer as to the claim and to appear for and represent the volunteer in the action. The Department could compromise, settle, and pay the claim before or after the commencement of a civil action. Whenever a judgment for damages was awarded against a volunteer as a result of a civil action for personal injuries or property damage caused by the volunteer while in the course of his or her deployment and while acting within the scope of his or her authority, the DTMB could indemnify the volunteer or pay, settle, or compromise the judgment.

 

If a criminal were commenced against a Michigan Cyber Civilian Corps volunteer based upon the volunteer's conduct in the course of his or her deployment, if the volunteer had a reasonable basis for believing that he or she was acting within the scope of his or her authority at the time of the alleged conduct, the DTMB could pay for, engage, or furnish the services of an attorney to advise the volunteer as to the action, and to appear for and represent the volunteer in the action. A volunteer who had incurred legal expenses for this conduct could obtain reimbursement for those expenses.

 

These provisions would impose no liability on the State or the DTMB.

 

Deployment

 

On the occurrence of a cybersecurity incident that affected a client, the client could request the DTMB to deploy one or more Michigan Cyber Civilian Corps volunteers to provide rapid response assistance under the discretion of the DTMB.

 

The Department, in its discretion, could initiate deployment of Michigan Cyber Civilian Corps volunteers upon the occurrence of a cybersecurity incident and the request of a client.

 

Acceptance of a deployment by a Michigan Cyber Civilian Corps volunteer for a particular cybersecurity incident would have to be made in writing. A volunteer could decline to accept deployment for any reason.

 

To initiate the deployment of a Michigan Cyber Civilian Corps volunteer for a particular cybersecurity incident, the DTMB would have to indicate in writing that the volunteer was authorized to provide the assistance. A single writing could initiate the deployment of more than one volunteer. The Department would have to maintain a writing initiating the deployment of a volunteer to provide assistance to a client for six years from the time of deployment or for the time required under the DTMB's record retention policies, whichever was longer.

 

The deployment of a Michigan Cyber Civilian Corps volunteer to provide assistance to a client would have to be for seven days unless the writing initiating the deployment contained a different period. At the discretion of the DTMB, the deployment of a Michigan Cyber Civilian Corps volunteer could be extended in writing in the same manner as the initial deployment.

 

Advisory Board

 

The Michigan Cyber Civilian Corps Advisory Board would be created as an advisory board within the DTMB.

 

The Advisory Board would be composed of the Adjutant General, the Director of the DTMB, the Director of the MSP, and the Director of the Department of Talent and Economic Development or their designees.

 

The Advisory Board would have to review and make recommendations to the DTMB regarding the policies and procedures used by the Department in implementing the proposed Act.

 

Department Responsibilities

 

After consultation with the Advisory Board, the chief information officer would have to do the following:

 

--    Approve the set of tools that the Michigan Cyber Civilian Corps could use in response to a cybersecurity incident.

--    Determine the standards of expertise necessary for an individual to become a member of the Michigan Cyber Civilian Corps.

 

("Chief information officer" would mean an individual within the DTMB designated by the Governor as the chief information officer of the State.)

 

After consultation with the Advisory Board, the DTMB would have to publish guidelines for the operation of the Michigan Cyber Civilian Corps program. At a minimum, the published guidelines would have to include the following:

--    An explanation of the standard the DTMB would use to determine whether an individual could serve as a Michigan Cyber Civilian Corps volunteer and an explanation of the process by which an individual could become a volunteer.

--    An explanation of the requirements the DTMB would impose for a client to receive the assistance of the Michigan Cyber Civilian Corps and an explanation of the process by which a client could request and receive the assistance of the Corps.

 

The Department could enter into contracts with clients as a condition to providing assistance through the Michigan Civilian Cyber Corps.

 

The Department could provide appropriate training to individuals who wished to participate in the Michigan Cyber Civilian Corps and to existing Michigan Cyber Civilian Corps volunteers.

 

The Department could provide compensation for actual and necessary travel and subsistence expenses incurred by Michigan Cyber Civilian Corps volunteers on a deployment at the discretion of the DTMB.

 

The Department could establish a fee schedule for clients that wished to use the assistance of the Michigan Cyber Civilian Corps. The Department could recoup expenses through the fees, but could not generate a profit.

 

                                                                      Legislative Analyst:  Stephen Jackson

 

FISCAL IMPACT

 

The Department of Technology, Management, and Budget has indicated that the bill would not increase the DTMB's administrative costs with the creation of the Michigan Cyber Civilian Corps as those costs are already provided for. Any additional costs as a result of the bill would be absorbed within the DTMB's annual appropriations. It is expected that any costs associated with the bill's provision allowing the Department to reimburse volunteers for any claims made or civil actions brought against the volunteers would be minimal due to the provision that would extend immunity from tort liability if certain criteria were met. Any potential costs to the DTMB for these reimbursements are indeterminate and dependent on each individual case.

 

Additionally, the bill would require the DTMB to request that the Department of State Police do a criminal history check and conduct a criminal records check through the Federal Bureau of Investigation on individuals who accepted an invitation to serve as a Michigan Cyber Civilian Corps volunteer, and report to the DTMB the results of those checks. The cost of each background check, via fingerprint processing, as under current law, which includes a search of State and Federal fingerprint databases, would be $42 ($30 State fee, $12 Federal fee). Also, under current law, a law enforcement agency or vendor who takes fingerprint impressions from an individual for submission to the MSP may charge a nominal fee for doing so (often $15 or less, if anything).

 

The cost of performing fingerprint processing by the MSP would be wholly covered by the DTMB under the bill. Both the bill and current law state that the fee for fingerprint processing may not exceed the actual and reasonable cost incurred by the MSP for doing so.

 

                                                                                       Fiscal Analyst:  Bruce Baker

                                                                                                            Joe Carrasco

This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.