Senate Passes Version of Cybersecurity Information Sharing Act, Awaits Resolution with House Version
On October 27, 2015, the U.S. Senate passed its version of the Cybersecurity Information Sharing Act (CISA), a bill that is designed to provide companies with legal immunity in exchange for sharing information about cyber attacks and cyber threats with the Department of Homeland Security and other companies. Exchange of the information is voluntary and companies sharing cybersecurity information are protected from legal liability for sharing the data and monitoring information systems for cyber threats.
Supporters of the bill, S. 754, believe that encouraging a free flow of information about known cyber attacks and threats is a critical step in strengthening the nation’s and industries’ defense in cybersecurity. While businesses in certain sectors already share information about cyber threats amongst themselves through information sharing and analysis centers (ISACs), proponents of the bill argue that without this legislation, companies face legal uncertainty about the implications of sharing cybersecurity information and will not share information for fear of potential liability under privacy laws and regulations. CISA has received the qualified support of the White House, as well as the support of various industry groups and the U.S. Chamber of Commerce.
While the White House praised the Senate for passing the bill, the administration did express concern over certain aspects of S. 754 that it hoped would be resolved through the ongoing legislative process. The administration noted that the bill authorized the sharing of information with any Federal entity and that the use of “potentially disruptive defensive measures” in response to network incidents may interfere with the application of other laws. The administration emphasized in a statement on October 22 that information sharing must be “consistent with certain narrow cybersecurity use restrictions, as well as privacy, confidentiality and civil liberties protections and transparent oversight.” The administration encouraged Congress to incorporate safeguards for privacy, confidentiality and civil liberties in all aspects of cyber security litigation.
Some detractors of the bill, however, note that S. 754, as passed, does not go far enough to protect individuals’ private information. While the bill offers legal protections if companies remove personally identifiable information (PII) before sharing the data, some companies and groups are troubled that unauthorized disclosure of PII may still occur because CISA only requires the company to remove PII known of at the time of sharing. Opponents also argue that CISA does not provide sufficient legal recourse for privacy breaches, and instead allows the government to extract large amounts of personal data from companies. There also is concern that CISA would allow Homeland Security to share acquired information with other federal agencies, including the National Security Agency, thereby creating opportunities for government surveillance.
President Obama has advocated for legislation to respond to the growing number of cyber attacks that have taken place in recent years, including the recent attacks on Sony, Home Depot, Target and Anthem. However, the Senate rejected earlier legislation as too broad. S. 754 passed by a 74-21 vote, but the bill must still be reconciled with legislation passed by the House of Representatives earlier this year. As CISA continues to work its way through the legislative process, the scope of liability protections for companies and the use of the shared information by the federal government will remain important issues.
White and Williams LLP will continue to monitor this legislation. For further information, please contact Josh Mooney (firstname.lastname@example.org; 215.864.6345) or Laura Schmidt (email@example.com; 215.864.6333).