Bill Text: MI HB4508 | 2017-2018 | 99th Legislature | Engrossed
Bill Title: State agencies (existing); technology, management, and budget; Michigan cyber civilian corps act; create. Creates new act.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Passed) 2017-10-31 - Assigned Pa 132'17 With Immediate Effect [HB4508 Detail]
Download: Michigan-2017-HB4508-Engrossed.html
HB-4508, As Passed Senate, October 10, 2017
SENATE SUBSTITUTE FOR
HOUSE BILL NO. 4508
A bill to create a program under which volunteers may provide
services to organizations in this state to respond to cybersecurity
incidents; to provide for protection from liability for personal
injury and property damage; to provide for the powers and duties of
state governmental officers and agencies; and to create the
Michigan cyber civilian corps advisory board and prescribe its
powers and duties.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1. This act shall be known and may be cited as the "cyber
civilian corps act".
Sec. 2. As used in this act:
(a) "Advisory board" means the Michigan cyber civilian corps
advisory board created under section 9.
(b) "Chief information officer" means the individual within
the department designated by the governor as the chief information
officer for this state.
(c) "Client" means a municipal, educational, nonprofit, or
business organization that has requested and is using the rapid
response assistance of the Michigan cyber civilian corps under the
direction of the department.
(d) "Cybersecurity incident" means an event occurring on or
conducted through a computer network that actually or imminently
jeopardizes the integrity, confidentiality, or availability of
computers, information or communications systems or networks,
physical or virtual infrastructure controlled by computers or
information systems, or information resident on any of these.
Cybersecurity incident includes, but is not limited to, the
existence of a vulnerability in an information system, system
security procedures, internal controls, or implementation that is
subject to exploitation.
(e) "Department" means the department of technology,
management, and budget.
(f) "Michigan cyber civilian corps" means the program
established by this act under which civilian volunteers who have
expertise in addressing cybersecurity incidents may volunteer at
the invitation of the department to provide rapid response
assistance to a municipal, educational, nonprofit, or business
organization in need of expert assistance during a cybersecurity
incident.
(g) "Michigan cyber civilian corps volunteer" means an
individual who has entered into a volunteer agreement with the
department to serve as a volunteer in the Michigan cyber civilian
corps.
(h) "Volunteer agreement" means the contract entered into
between the department and a Michigan cyber civilian corps
volunteer under section 4.
Sec. 3. The department may appoint individuals to serve as
Michigan cyber civilian corps volunteers for the purposes of
facilitating the responsibilities of the department as provided in
this act.
Sec. 4. The department shall enter into a contract with any
individual who wishes to accept an invitation by the department to
serve as a Michigan cyber civilian corps volunteer. The contract
must include, at a minimum, all of the following:
(a) A provision acknowledging the confidentiality of
information relating to this state, state residents, and clients.
(b) A provision protecting from disclosure any confidential
information of this state, state residents, or clients acquired by
the Michigan cyber civilian corps volunteer through participation
in the Michigan cyber civilian corps.
(c) A provision requiring the Michigan cyber civilian corps
volunteer to avoid conflicts of interest that might arise from a
particular deployment.
(d) A provision requiring the Michigan cyber civilian corps
volunteer to comply with all existing department security policies
and procedures regarding information technology resources.
(e) A provision requiring the Michigan cyber civilian corps
volunteer to consent to background screening considered appropriate
by the department under this act, and a section in which the
individual gives that consent as described in section 5.
(f) A provision requiring the Michigan cyber civilian corps
volunteer to attest that he or she meets any standards of expertise
that may be established by the department.
Sec. 5. (1) When an individual accepts an invitation to serve
as a Michigan cyber civilian corps volunteer as described in
section 4, the department shall request the department of state
police to do both of the following:
(a) Conduct a criminal history check on the individual.
(b) Conduct a criminal records check through the Federal
Bureau of Investigation on the individual.
(2) An individual who accepts an invitation to the Michigan
cyber civilian corps shall give written consent in the volunteer
agreement for the department of state police to conduct the
criminal history check and criminal records check required under
this section. The department shall require the individual to submit
his or her fingerprints to the department of state police and the
Federal Bureau of Investigation for the criminal records check.
(3) The department shall request a criminal history check and
criminal records check under this section on all individuals who
wish to participate as Michigan cyber civilian corps volunteers.
The department shall make the request on a form and in the manner
prescribed by the department of state police.
(4) Within a reasonable time after receiving a complete
request by the department for a criminal history check and criminal
records check on an individual under this section, the department
of state police shall conduct the criminal history check and
provide a report of the results to the department. The report must
indicate that the individual is cleared or not cleared to become a
Michigan cyber civilian corps volunteer.
(5) Within a reasonable time after receiving a proper request
by the department for a criminal records check on an individual
under this section, the department of state police shall initiate
the criminal records check with the Federal Bureau of
Investigation. After receiving the results of the criminal records
check from the Federal Bureau of Investigation, the department of
state police shall provide a report to the department that
indicates that the individual is cleared or not cleared to become a
Michigan cyber civilian corps volunteer.
(6) If a criminal arrest fingerprint is subsequently submitted
to the department of state police and matches against a fingerprint
that was submitted pursuant to this act and stored in its automated
fingerprint identification system (AFIS) database, the department
of state police shall notify the department that the individual is
still cleared or is no longer cleared to continue as a Michigan
cyber civilian corps volunteer. When the department of state police
is able to participate with the Federal Bureau of Investigation
automatic notification system, then any subsequent arrest
fingerprint submitted to the Federal Bureau of Investigation must
also be reviewed by the department of state police. The department
of state police shall provide a report to the department that
indicates that the individual is still cleared or is no longer
cleared to continue as a Michigan cyber civilian corps volunteer.
Sec. 6. (1) A Michigan cyber civilian corps volunteer is not
an agent, employee, or independent contractor of this state for any
purpose and has no authority to bind this state with regard to
third parties.
(2) This state is not liable to a Michigan cyber civilian
corps volunteer for personal injury or property damage suffered by
the Michigan cyber civilian corps volunteer through participation
in the Michigan cyber civilian corps.
Sec. 7. (1) Except as otherwise provided in this section, the
department and this state are immune from tort liability for acts
or omissions by a Michigan cyber civilian corps volunteer under
this act.
(2) Except as otherwise provided in this section, and without
regard to discretionary or ministerial nature of the conduct of a
Michigan cyber civilian corps volunteer, each Michigan cyber
civilian corps volunteer is immune from tort liability for an
injury to a person or damage to property that occurred while
deployed and acting on behalf of the department if all of the
following are met:
(a) The Michigan cyber civilian corps volunteer is acting or
reasonably believes that he or she is acting within the scope of
his or her authority.
(b) The Michigan cyber civilian corps volunteer's conduct does
not amount to gross negligence that is the proximate cause of the
injury or damage.
(c) The Michigan cyber civilian corps volunteer's conduct is
not a material breach of the volunteer agreement during that
deployment.
(3) If a claim is made or a civil action is commenced against
a Michigan cyber civilian corps volunteer for injuries to persons
or property caused by negligence of a Michigan cyber civilian corps
volunteer that occurred while in the course of his or her
deployment on behalf of the department and while acting within the
scope of his or her authority, the department may pay for, engage,
or furnish the services of an attorney to advise the Michigan cyber
civilian corps volunteer as to the claim and to appear for and
represent the Michigan cyber civilian corps volunteer in the
action. The department may compromise, settle, and pay the claim
before or after the commencement of a civil action. Whenever a
judgment for damages is awarded against a Michigan cyber civilian
corps volunteer as a result of a civil action for personal injuries
or property damage caused by the Michigan cyber civilian corps
volunteer while in the course of his or her deployment and while
acting within the scope of his or her authority, the department may
indemnify the Michigan cyber civilian corps volunteer or pay,
settle, or compromise the judgment.
(4) If a criminal action is commenced against a Michigan cyber
civilian corps volunteer based upon the conduct of the Michigan
cyber civilian corps volunteer in the course of his or her
deployment, if the Michigan cyber civilian corps volunteer had a
reasonable basis for believing that he or she was acting within the
scope of his or her authority at the time of the alleged conduct,
the department may pay for, engage, or furnish the services of an
attorney to advise the Michigan cyber civilian corps volunteer as
to the action, and to appear for and represent the Michigan cyber
civilian corps volunteer in the action. A Michigan cyber civilian
corps volunteer who has incurred legal expenses for conduct
prescribed in this subsection may obtain reimbursement for those
expenses under this subsection.
(5) This section does not impose liability on this state or
the department.
(6) As used in this section, "gross negligence" means conduct
so reckless as to demonstrate a substantial lack of concern for
whether an injury results.
Sec. 8. (1) On the occurrence of a cybersecurity incident that
affects a client, the client may request the department to deploy 1
or more Michigan cyber civilian corps volunteers to provide rapid
response assistance under the direction of the department.
(2) The department, in its discretion, may initiate deployment
of Michigan cyber civilian corps volunteers upon the occurrence of
a cybersecurity incident and the request of a client.
(3) Acceptance of a deployment by a Michigan cyber civilian
corps volunteer for a particular cybersecurity incident must be
made in writing. A Michigan cyber civilian corps volunteer may
decline to accept deployment for any reason.
(4) To initiate the deployment of a Michigan cyber civilian
corps volunteer for a particular cybersecurity incident, the
department shall indicate in writing that the Michigan cyber
civilian corps volunteer is authorized to provide the assistance. A
single writing may initiate the deployment of more than 1 Michigan
cyber civilian corps volunteer.
(5) The department shall maintain a writing initiating the
deployment of a Michigan cyber civilian corps volunteer to provide
assistance to a client for 6 years from the time of deployment or
for the time required under the department's record retention
policies, whichever is longer.
(6) The deployment of a Michigan cyber civilian corps
volunteer to provide assistance to a client must be for 7 days
unless the writing initiating the deployment contains a different
period.
(7) At the direction of the department, the deployment of a
Michigan cyber civilian corps volunteer may be extended in writing
in the same manner as the initial deployment.
Sec. 9. (1) The Michigan cyber civilian corps advisory board
is created as an advisory body within the department.
(2) The Michigan cyber civilian corps advisory board is
composed of the adjutant general, the director of the department,
the director of the department of state police, and the director of
the department of talent and economic development or their
designees.
(3) The Michigan cyber civilian corps advisory board shall
review and make recommendations to the department regarding the
policies and procedures used by the department in implementing this
act.
Sec. 10. (1) After consultation with the advisory board, the
chief information officer shall do both of the following:
(a) Approve the set of tools that the Michigan cyber civilian
corps may use in response to a cybersecurity incident.
(b) Determine the standards of expertise necessary for an
individual to become a member of the Michigan cyber civilian corps.
(2) After consultation with the advisory board, the department
shall publish guidelines for the operation of the Michigan cyber
civilian corps program. At a minimum, the published guidelines must
include the following:
(a) An explanation of the standard the department will use to
determine whether an individual may serve as a Michigan cyber
civilian corps volunteer and an explanation of the process by which
an individual may become a Michigan cyber civilian corps volunteer.
(b) An explanation of the requirements the department will
impose for a client to receive the assistance of the Michigan cyber
civilian corps and an explanation of the process by which a client
may request and receive the assistance of the Michigan cyber
civilian corps.
(3) The department may enter into contracts with clients as a
condition to providing assistance through the Michigan cyber
civilian corps.
(4) The department may provide appropriate training to
individuals who wish to participate in the Michigan cyber civilian
corps and to existing Michigan cyber civilian corps volunteers.
(5) The department may provide compensation for actual and
necessary travel and subsistence expenses incurred by Michigan
cyber civilian corps volunteers on a deployment at the discretion
of the department.
(6) The department may establish a fee schedule for clients
that wish to use the assistance of the Michigan cyber civilian
corps. The department may recoup expenses through the fees but may
not generate a profit.
(7) Information voluntarily given to the Michigan cyber
command center or obtained under this act that would identify or
provide a means of identifying a person that may, as a result of
disclosure of the information, become a victim of a cybersecurity
incident or that would disclose a person's cybersecurity plans or
cybersecurity-related practices, procedures, methods, results,
organizational information system infrastructure, hardware, or
software is exempt from disclosure under the freedom of information
act, 1976 PA 442, MCL 15.231 to 15.246.
Enacting section 1. This act takes effect 90 days after the
date it is enacted into law.
