since 1999


2 minutes estimated reading time.

Georgia SB 315, set to criminalize most independent security threat research, heads to Georgia Governor Nathan Deal for signature or veto

This article has been updated since originally published to reflect the current status of SB 315, which is now heading to the Governor's desk.)

The Georgia House of Representatives voted 107 to 63 to approve GA SB 315 (LC 29 8107S) (PDF / on Tuesday, March 27, 2018, on the Senate voted 42 to 7 to accept the House changes in the last hours of the session on Thursday, March 29, 2018. This bill has been specifically crafted to make critical security threat research a crime now heads to Governor Deal’s desk for his signature or veto.

GA SB 315 protects the 94% of the Forbes 2000 public companies that have no way to report a security hole at the expense of the public. They do not need this protection. We need a way to hold them accountable so that they fix their vulnerabilities.

This chilling fact was part of recent US Senate testimony by Katie Moussouris, the security professional responsible for launching Microsoft’s and the US Department of Defense’s first bug bounty programs.

That means only 120 of these companies have a formal program to receive information about and actively fix security flaws that impact the public. The other 1880 will just as soon press criminal charges or civilly sue anyone who dares attempt to bring a security hole to their attention. Many of these companies would rather put their heads in the sand and pretend that they have no issues than to actually fix fundamental security problems with their IT systems. This is why we hear so much about cybersecurity insurance and companies and governments paying ransom to unlock their data rather than actually deploying comprehensive security controls in the first place.

Please contact Governor Nathan Deal and ask that he VETO SB 315! Tell him that our Internet security is too important to jeopardize with an overly broad bill that can be used to put innocent Georgians in jail and destroy the careers of law abiding citizens while doing nothing to hold the companies who put our data at risk accountable.