This article has been updated since originally published to reflect the current status of SB 315, which is now heading to the Governor’s desk.)
The Georgia House of Representatives voted 107 to 63 to approve GA SB 315 (LC 29 8107S)
(PDF / legis.ga.gov) on Tuesday, March 27, 2018, on the Senate voted 42 to 7 to
accept the House changes in the last hours of the session on Thursday, March 29, 2018.
This bill has been specifically crafted to make critical security threat research a crime now heads to Governor Deal’s desk for his signature or veto.
GA SB 315 protects the 94% of the Forbes 2000 public companies that have no way
to report a security hole at the expense of the public. They do not need this
protection. We need a way to hold them accountable so that they fix their
This chilling fact was part of recent US Senate testimony by Katie Moussouris,
the security professional responsible for launching Microsoft’s and the
US Department of Defense’s first bug bounty programs.
That means only 120 of these companies have a formal program to receive
information about and actively fix security flaws that impact the public. The other 1880 will just as soon press criminal charges or civilly sue anyone who dares attempt
to bring a security hole to their attention. Many of these companies would rather
put their heads in the sand and pretend that they have no issues than to actually
fix fundamental security problems with their IT systems. This is why we hear so much
about cybersecurity insurance and companies and governments paying ransom to unlock
their data rather than actually deploying comprehensive security controls in the
Please contact Governor Nathan Deal and ask that he VETO SB 315! Tell him that
our Internet security is too important to jeopardize with an overly broad bill
that can be used to put innocent Georgians in jail and destroy the careers of law
abiding citizens while doing nothing to hold the companies who put our data at risk accountable.