Georgia Governor Vetoes Broad-Reaching Computer Crime Bill, Highlighting Debate Around Bug Bounty Programs

On May 8, Georgia Governor Nathan Deal announced that he was vetoing Senate Bill 315 (“SB 315” or “the bill”), cybersecurity legislation that would have expanded the criminalization of “unauthorized computer access” to capture, in addition to traditional hacking, activity that opponents warned is necessary to robust private and public sector cyber defense.  In his veto statement, Governor Deal commented that parts of SB 315 “have led to concerns regarding national security implications and other potential ramifications” that caused him to conclude that “while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.”

The Georgia State Senate had recently voted 42-7 to approve SB 315, which criminalized unauthorized computer access with maximum penalties of up to one year of incarceration and a fine of $5,000.  However, the bill allowed for certain exemptions. SB 315 expressly did not apply to: members of the same household; access to a computer of computer network for a “legitimate business activity”; cybersecurity “defensive measures that are designed to prevent or detect unauthorized computer access”; and “violations of terms of service or user agreements.”

SB 315 faced opposition from both private companies and information security researchers.  Representatives from large technology companies had urged Governor Deal to veto SB 315 because they contended that exempting “defensive measures” could lead to abusive and anticompetitive practices. Security researchers also voiced concerns. Specifically, researchers believed that the current version of SB 315 could chill security research—both the purely academic and the “white hats”—ultimately discouraging individuals from identifying vulnerabilities in networks and alerting system administrators of the issues.

These concerns relate to the ongoing debate over increasingly popular so-called “bug bounty” or vulnerability disclosure programs. Organizations have employed bug bounty programs in an effort to encourage researchers to report security flaws in their systems.  The federal government has also taken notice of these efforts.  For instance, the government launched a bug bounty initiative through the Department of Defense’s “Hack the Pentagon” program and the Department of Justice’s July 2017 Framework for a Vulnerability Disclosure Program for Online Systems published to assist companies with adopting programs that are within the law.

But recent data security incidents have prompted private and public sector actors to examine legal limitations of legislation that seeks to penalize unauthorized computer access and to consider the risk of abusive practices presented by some bug bounty programs. For example, Uber recently announced that the company had experienced a 2016 incident where two individuals outside of Uber “inappropriately accessed user data stored on a third-party cloud-based service” that included “the names and driver’s license numbers of around 600,000 drivers in the United States” as well as millions of user’s “names, email addresses and mobile phone numbers.” The incident and Uber’s response prompted the U.S. Senate subcommittee on consumer protection, product safety, insurance, and data security to question Uber’s chief information security officer about its bug bounty program and its reported $100,000 payment to the intruders.

These data security incidents, as well as the public discourse surrounding SB 315 and potential effects of the bill on bug bounty programs, signal that stakeholders will continue to debate similar legislation and the legal limits of vulnerability disclosure efforts.  While Georgia’s SB 315 has been vetoed, given the ongoing debate and critical nature of the issues, these debates are not likely to go away any time soon.