A Haslam administration bill that would make secret the identities of companies who have cybersecurity contracts with state and local governments passed its first hurdle in the House State Government Subcommittee today, but not without some questions from the subcommittee’s chair.
The bill seeks to extend an exemption already in state law that protects information that would allow “unauthorized access” to electronic information processing systems, telecommunications systems or other communications systems of any governmental entity in Tennessee.
It would insert new language that makes secret the identity of the vendors who provide the goods and services used to protect those systems. (See HB 1543 / SB 2546) Currently the law specifically states that the identity of such vendors, as well as the cost of goods and services provided by those vendors, are not confidential.
State Rep. Cameron Sexton, R-Crossville, who is carrying the bill, said keeping the names of the vendors private would help protect the vendors and help protect the state’s information system. He said that knowing the name of the vendor would make it easier for someone to hack into the state system.
Sexton gave an example of a large data breach in South Carolina that cost the state more than $20 million to fix. But when state Rep. Bill Sanderson, R-Kenton, the subcommittee’s chairman, asked if the vendors’ name was secret in that situation, Sexton answered that it was a hack of the state’s website, not the vendor and he did not know if a vendor’s name was secret.
“The state feels very secure about our website and our information technology. This is an attempt to not force the vendors into the same problems,” Sexton said. “This is to protect employee or state data through IT so that the vendors are not exposed to those hacks as we are at the state.”
Sanderson also questioned if the bill was really doing anything to help, or “just making something secret.”
“If we have vendors that are providing that service to the state, and one of their main concerns is not exposing their name, it tells me that, it just seems odd to me that secrecy would be such a key issue for them that we’ve got to pass legislation that would prohibit someone from knowing who that vendor is,” Sanderson said. “If they are in the job of protecting that data, just the mere knowledge of that name, keeping that secret indicates a flaw in the company to me – that type of company.”
Sexton said that lawmakers would still be able to find out the name of the vendors and that the administration would share their identities with any lawmaker who asked.
“And if you have a constituent that wants to know that information, then you can get that information,” Sexton said.
State Rep. Darren Jernigan, D-Old Hickory, asked whether the exemption would apply to local government. Sexton said it would not.
However, government entity is defined in this part of the statute as “the state of Tennessee, and any county, municipality, city or other political subdivision of the state of Tennessee.” The proposed bill does not seek to change the definition.
Also the proposed language in the bill says the name of the vendor “shall be confidential,” and does not provide for any discretionary release of the confidential information by the administration to a member of the General Assembly. It also does not allow for any discretionary release of a vendor’s name by lawmakers to constituents who ask for it.
Here is the current state law:
10-7-504 (i) (1) Information that would allow a person to obtain unauthorized access to confidential information or to government property shall be maintained as confidential. For the purpose of this section, “government property” includes electronic information processing systems, telecommunication systems, or other communications systems of a governmental entity subject to this chapter. For the purpose of this section, “governmental entity” means the state of Tennessee and any county, municipality, city or other political subdivision of the state of Tennessee. Such records include:
(A) Plans, security codes, passwords, combinations, or computer programs used to protect electronic information and government property;
(B) Information that would identify those areas of structural or operational vulnerability that would permit unlawful disruption to, or interference with, the services provided by a governmental entity; and
(C) Information that could be used to disrupt, interfere with, or gain unauthorized access to electronic information or government property.
(2) Information made confidential by this subsection (i) shall be redacted wherever possible and nothing in this subsection (i) shall be used to limit or deny access to otherwise public information because a file, document, or data file contains confidential information.
(3) Documents concerning the cost of protecting government property or electronic information, and the identity of vendors providing goods and services used to protect government property or electronic information shall not be confidential.
The bills seek to delete the language in (3) and replace it with this:
(3) The identities of vendors providing goods and services used to protect government property, or government employee or citizen information, shall be
confidential. Documents concerning the cost of protecting government property or electronic information shall not be confidential.
Video of the subcommittee meeting is available on the state’s website.