Bill Text: MI HB4508 | 2017-2018 | 99th Legislature | Introduced
Bill Title: State agencies (existing); technology, management, and budget; Michigan cyber civilian corps act; create. Creates new act.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Passed) 2017-10-31 - Assigned Pa 132'17 With Immediate Effect [HB4508 Detail]
Download: Michigan-2017-HB4508-Introduced.html
HOUSE BILL No. 4508
April 25, 2017, Introduced by Reps. Iden, Lucido, Sheppard and Webber.
A bill to create a program under which volunteers may provide
services to organizations in this state to respond to cybersecurity
incidents; to provide for protection from liability for personal
injury and property damage; to provide for the powers and duties of
state governmental officers and agencies; and to create the
Michigan cyber civilian corps advisory board and prescribe its
powers and duties.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1. This act shall be known and may be cited as the "cyber
civilian corps act".
Sec. 2. As used in this act:
(a) "Advisory board" means the Michigan cyber civilian corps
advisory board created under section 8.
(b) "Chief information officer" means the individual within
the department designated by the governor as the chief information
officer for this state.
(c) "Client" means a municipal, educational, nonprofit, or
business organization that has requested and is using the rapid
response assistance of the Michigan cyber civilian corps under the
direction of the department.
(d) "Cybersecurity incident" means an event occurring on or
conducted through a computer network that actually or imminently
jeopardizes the integrity, confidentiality, or availability of
computers, information or communications systems or networks,
physical or virtual infrastructure controlled by computers or
information systems, or information resident on any of these.
Cybersecurity incident includes, but is not limited to, the
existence of a vulnerability in an information system, system
security procedures, internal controls, or implementation that is
subject to exploitation.
(e) "Department" means the department of technology,
management, and budget.
(f) "Michigan cyber civilian corps" means the program
established by this act under which civilian volunteers who have
expertise in addressing cybersecurity incidents may volunteer at
the invitation of the department to provide rapid response
assistance to a municipal, educational, nonprofit, or business
organization in need of expert assistance during a cybersecurity
incident.
(g) "Michigan cyber civilian corps volunteer" means an
individual who has entered into a volunteer agreement with the
department to serve as a volunteer in the Michigan cyber civilian
corps.
(h) "Volunteer agreement" means the contract entered into
between the department and a Michigan cyber civilian corps
volunteer under section 4.
Sec. 3. (1) The department may appoint individuals to serve as
Michigan cyber civilian corps volunteers for the purposes of
facilitating the responsibilities of the department as provided in
this act. Except as otherwise provided in this act, while a
Michigan cyber civilian corps volunteer is deployed as provided in
section 7, the Michigan cyber civilian corps volunteer has the same
immunity from civil liability as a department employee and must be
treated in the same manner as a department employee, as provided in
sections 7 and 8 of 1964 PA 170, MCL 691.1407 and 691.1408.
(2) If a Michigan cyber civilian corps volunteer materially
breaches his or her volunteer agreement, the Michigan cyber
civilian corps volunteer is not acting on behalf of the department,
and thus loses the immunity from civil liability described in
subsection (1).
Sec. 4. The department shall enter into a contract with any
individual who wishes to accept an invitation by the department to
serve as a Michigan cyber civilian corps volunteer. The contract
must include, at a minimum, all of the following:
(a) A provision acknowledging the confidentiality of
information relating to this state, state residents, and clients.
(b) A provision protecting from disclosure any confidential
information of this state, state residents, or clients acquired by
the Michigan cyber civilian corps volunteer through participation
in the Michigan cyber civilian corps.
(c) A provision requiring the Michigan cyber civilian corps
volunteer to avoid conflicts of interest that might arise from a
particular deployment.
(d) A provision requiring the Michigan cyber civilian corps
volunteer to comply with all existing department security policies
and procedures regarding information technology resources.
(e) A provision requiring the Michigan cyber civilian corps
volunteer to consent to background screening considered appropriate
by the department under this act, and a section in which the
individual gives that consent as described in section 5.
(f) A provision requiring the Michigan cyber civilian corps
volunteer to attest that he or she meets any standards of expertise
that may be established by the department.
Sec. 5. (1) When an individual accepts an invitation to serve
as a Michigan cyber civilian corps volunteer as described in
section 4, the department shall request the department of state
police to do both of the following:
(a) Conduct a criminal history check on the individual.
(b) Conduct a criminal records check through the Federal
Bureau of Investigation on the individual.
(2) An individual who accepts an invitation to the Michigan
cyber civilian corps shall give written consent in the volunteer
agreement for the department of state police to conduct the
criminal history check and criminal records check required under
this section. The department shall require the individual to submit
his or her fingerprints to the department of state police and the
Federal Bureau of Investigation for the criminal records check.
(3) The department shall request a criminal history check and
criminal records check under this section on all individuals who
wish to participate as Michigan cyber civilian corps volunteers.
The department shall make the request on a form and in the manner
prescribed by the department of state police.
(4) Within a reasonable time after receiving a complete
request by the department for a criminal history check and criminal
records check on an individual under this section, the department
of state police shall conduct the criminal history check and
provide a report of the results to the department. The report must
contain any criminal history record information on the individual
maintained by the department of state police.
(5) Within a reasonable time after receiving a proper request
by the department for a criminal records check on an individual
under this section, the department of state police shall initiate
the criminal records check. After receiving the results of the
criminal records check from the Federal Bureau of Investigation,
the department of state police shall provide a report of the
results to the department.
(6) The department of state police may charge the department a
fee for a criminal history check or a criminal records check
required under this section that does not exceed the actual and
reasonable cost of conducting the check. The department may pass
along to the individual the actual cost or fee charged by the
department of state police for performing a criminal history check
or a criminal records check required under this section.
Sec. 6. (1) A Michigan cyber civilian corps volunteer is not
an agent, employee, or independent contractor of this state for any
purpose and has no authority to bind this state with regard to
third parties.
(2) This state is not liable to a Michigan cyber civilian
corps volunteer for personal injury or property damage suffered by
the Michigan cyber civilian corps volunteer through participation
in the Michigan cyber civilian corps.
Sec. 7. (1) On the occurrence of a cybersecurity incident that
affects a client, the client may request the department to deploy 1
or more Michigan cyber civilian corps volunteers to provide rapid
response assistance under the direction of the department.
(2) The department, in its discretion, may initiate deployment
of Michigan cyber civilian corps volunteers upon the occurrence of
a cybersecurity incident and the request of a client.
(3) Acceptance of a deployment by a Michigan cyber civilian
corps volunteer for a particular cybersecurity incident must be
made in writing. A Michigan cyber civilian corps volunteer may
decline to accept deployment for any reason.
(4) To initiate the deployment of a Michigan cyber civilian
corps volunteer for a particular cybersecurity incident, the
department shall indicate in writing that the Michigan cyber
civilian corps volunteer is authorized to provide the assistance. A
single writing may initiate the deployment of more than 1 Michigan
cyber civilian corps volunteer.
(5) The department shall maintain a writing initiating the
deployment of a Michigan cyber civilian corps volunteer to provide
assistance to a client for 6 years from the time of deployment or
for the time required under the department's record retention
policies, whichever is longer.
(6) The deployment of a Michigan cyber civilian corps
volunteer to provide assistance to a client must be for 7 days
unless the writing initiating the deployment contains a different
period.
(7) At the direction of the department, the deployment of a
Michigan cyber civilian corps volunteer may be extended in writing
in the same manner as the initial deployment.
Sec. 8. (1) The Michigan cyber civilian corps advisory board
is created as an advisory body within the department.
(2) The Michigan cyber civilian corps advisory board is
composed of the adjutant general, the director of the department,
the director of the department of state police, and the director of
the department of talent and economic development or their
designees.
(3) The Michigan cyber civilian corps advisory board shall
review and make recommendations to the department regarding the
policies and procedures used by the department in implementing this
act.
Sec. 9. (1) After consultation with the advisory board, the
chief information officer shall do both of the following:
(a) Approve the set of tools that the Michigan cyber civilian
corps may use in response to a cybersecurity incident.
(b) Determine the standards of expertise necessary for an
individual to become a member of the Michigan cyber civilian corps.
(2) After consultation with the advisory board, the department
shall publish guidelines for the operation of the Michigan cyber
civilian corps program. At a minimum, the published guidelines must
include the following:
(a) An explanation of the standard the department will use to
determine whether an individual may serve as a Michigan cyber
civilian corps volunteer and an explanation of the process by which
an individual may become a Michigan cyber civilian corps volunteer.
(b) An explanation of the requirements the department will
impose for a client to receive the assistance of the Michigan cyber
civilian corps and an explanation of the process by which a client
may request and receive the assistance of the Michigan cyber
civilian corps.
(3) The department may enter into contracts with clients as a
condition to providing assistance through the Michigan cyber
civilian corps.
(4) The department may provide appropriate training to
individuals who wish to participate in the Michigan cyber civilian
corps and to existing Michigan cyber civilian corps volunteers.
(5) The department may provide compensation for actual and
necessary travel and subsistence expenses incurred by Michigan
cyber civilian corps volunteers on a deployment at the discretion
of the department.
(6) The department may establish a fee schedule for clients
that wish to use the assistance of the Michigan cyber civilian
corps. The department may recoup expenses through the fees but may
not generate a profit.
