Tim Pawlenty Makes It Clear Banks Want Immunity for Negligence
The business community is launching a big push for the Cyber Information Sharing Act over the recess, with the Chamber of Commerce pushing hard and now the Financial Services Roundtable’s Tim Pawlenty weighing in today.
Pawlenty is fairly explicit about why banks want the bill: so that if they’re attacked and share data with the government, they cannot be sued for negligent maintenance of data.
“If I think you’ve attacked me and I turn that information over to the government, is that going to be subject to the Freedom of Information Act?” he said, highlighting a major issue for senators concerned about privacy.
“If so, are the trial lawyers going to get it and sue my company for negligent maintenance of data or cyber defenses?” Pawlenty continued. “Are my regulators going to get it and come back and throw me in jail, or fine me or sanction me? Is the public going to have access to it? Are my competitors going to have access to it? Are they going to be able to see my proprietary cyber systems in a way that will give up competitive advantage?”
CISA has been poorly framed, he explained.
“It should be called the cyber teamwork bill,” Pawlenty said.
As I’ve pointed out repeatedly, what the banks would get here is far more than they get under the Bank Secrecy Act, where they get immunity for sharing data, but are required to do certain things to protect against financial crimes.
Here, banks (and other corporations, but never natural people) get immunity without having to have done a damn thing to keep their customers safe.
Which is why CISA is counterproductive for cybersecurity.
Bank negligence is redundant. The cost of relentless lobbying that yields immunity generates a marvelous profit margin. Even minimal liability for negligence – typically systemic, but provable only with documentary evidence a bank would deem proprietary – would be enormously costly. And generate demands for change. Rigging the system also maintains bank secrecy and avoids disclosures attendant on litigation – assuming plaintiffs could avoid the ubiquitous bank demand for private arbitration. Those disclosures would likely include self-dealing and conflicts of interest, shoddy systems, poor standards, and inconsequential penalties for violating those. As Bill Black might say, large banks are fundamentally crimenogenic systems.