Skip to Main Content
Ahead of the Curve Auto Supplier
BlogsPublications | March 20, 2018
2 minute read
Ahead of the Curve Auto Supplier

Cybersecurity and Roads Data Gain Protection from Public Disclosure

On March 19, 2018, Michigan Governor Rick Snyder signed into law a new set of exemptions protecting certain types of information from disclosure under the state’s Freedom of Information Act. The measures are designed to protect the confidentiality, integrity, and availability of certain information systems, as well as cybersecurity plans, assessments, or vulnerabilities.

Specifically excluded from disclosure is “information that would reveal the identity of a person who could, as a result of disclosure of the information, become a victim of a cybersecurity incident, or that would reveal the person's cybersecurity plans, or cybersecurity-related practices.” These amendments were prompted by concern that private companies that experience data breaches and other cybersecurity have been reluctant to disclose information about the incidents to the public authorities charged with preventing them, out of fear that, once in the hands of a public body, that data could then be available to the general public—including to bad actors who would use the data to do further harm to the victims.
 
The new law also exempts data related to transportation infrastructures. Specifically, the amendment exempts from disclosure “Research data on road and attendant infrastructure collected, measured, recorded, processed, or disseminated by a public agency or private entity, or information about software or hardware created or used by the private entity for such purposes.” This provision was added late in the legislative process by the Senate to the House bill, which had originally dealt only with cybersecurity, and remained in the final consensus version sent to the Governor. The language of this provision raises several questions. What is “research data,” and how does it differ from other types of data? Does traffic data qualify? Does the inclusion of this provision within a cybersecurity bill suggest that it is intended to promote the development of vehicle-to-infrastructure digital communication networks, or is it a more defensive reaction to concerns over crumbling physical roadways? These and similar questions remain for the courts, or future legislation, to clarify.