SB 315 put on the back-burner, pending further discussion

Georgia’s cybersecurity community breathed a collective sigh of relief yesterday, as Governor Nathan Deal announced he was vetoing a controversial computer crime bill that had the potential to criminalize researchers.

As previously reported in The Daily Swig, Senate Bill 315 (SB 315) was conceived as a means of strengthening the US state’s cybersecurity laws through the criminalization of unauthorized computer access.

Under the proposed legislation, anyone who accessed a computer or computer network without permission risked fines of up to $5,000 or a year in prison.

However, as the bill passed through the Senate at the end of March, it quickly gained traction in the security community for all the wrong reasons, due to the possibility that the legislation could also penalize security researchers who report vulnerabilities in an ethical way.

Among those leading the charge against SB 315 was the non-profit Electronic Frontier Foundation (EFF), which called for Governor Deal to veto the “dangerous” legislation before it was ratified.

This was followed by a letter signed by 55 cybersecurity professionals that also urged the Governor to push back on the bill.

It now seems – for the time being, at least – that this quest has been successful, as Governor Deal yesterday announced he had vetoed SB 315.

“After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cybersecurity legislation,” Governor Deal stated.

“Certain components of the legislation have led to concerns regarding national security implications and other potential ramifications.

“Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.

The EFF was quick to toast a “victory” against the “short-sighted” computer crime bill, but Professor Andy Green, lecturer of information security at Kennesaw State University, urged caution and humility among the infosec community ahead of the planned future discussions.

“Going forward, we will need to work in a collaborative manner with the Attorney General’s office, law enforcement agencies, and state legislators in order to ensure that a better version of this bill is drafted and ready for the next legislative session,” Green said in a blog post today.

“Legislation of cybersecurity-related issues is only going to become more important moving forward. Now is the time for us to extend our collective hands, in an effort to help elected officials understand the issues to be considered when drafting new legislation.

“Only in this way can we hope to avoid a repeat of the problems seen with SB 315.”