Recently the buzzword-du-jour has shifted in some circles from "Threat Intelligence" to "Information Sharing", with policy being proposed or enacted to drive companies to share breach and breach attempts with other entities to hopefully assist in their network defenses. One challenge I see to free information sharing between willing and well-intentioned parties is the ambiguity in the CFAA where an activist prosecutor can target well-meaning individuals who attempt to bring attention to vulnerabilities or breaches of data.

As a former volunteer EMT and having recently joined the local volunteer fire department, one of the first things you learn in your basic EMT training is the legality and possible liability associated with providing assistance. One core notion is that of consent; as a responder I can only provide care when consent is given: explicit or implied. Explicit consent is when I ask an adult patient if they consent to receiving my care, implied is if the patient is unable to reasonably provide consent, but a rational person would (e.g., an unresponsive victim). As an analogy to InfoSec, expressed consent is a bug bounty program or other clear security guidelines, where there is a clear policy in place to express what is, and is not allowed, and that the organization consents. Implied consent is  an interesting basis for judging whether an individual or firm providing information on a breach or vulnerability is acceptable. When a patient is incapacitated or otherwise unable to reliably provide consent, it is implied; when a website is publishing sensitive information (such as AT&T was with iPad owner details), or breach dumps are found on a 3rd-party site or the nebulously named "dark web", is the organization reliably able to consent or is it considered "unresponsive or unable to make a rational decision (e.g. altered mental status)"? It should be clear that explicit consent is the ideal, and having a good security team promptly responding to notifications allows that organization the most control; however, implied consent is a useful tool to help restrict liability from prosecutorial overreach.

As a volunteer health-care provider you are protected from liability under Good Samaritan laws as long as you provide care and assistance correctly and within your scope of training to a consenting patient. As a basic EMT, if I harm a patient by performing an advanced treatment that I am not trained in, I can be liable, or if I attempt to treat a patient who refuses care. Could a similar Good Samaritan law be provided for information sharing by well-meaning researchers who do not breach the analogous consent framework above?