Data Protection Report - Norton Rose Fulbright

The relatively short turnaround of the Cybersecurity Information Sharing Act (CISA or the “Act”) has proved challenging, as a vote initially intended for this week will have to wait until the Senate’s September session, at the earliest.

CISA is intended to support and encourage the sharing of information about cyber threats between private and public sectors. It does so in part by addressing the long standing roadblock to cyber threat sharing — liability protection to companies willing to share information with the government regarding “cyber threat indicators” or “defensive measures” that companies employ to defend against cyberattacks. The liability protection provision also provides for immunity for any action based upon the monitoring of certain information and information systems by companies participating in threat sharing programs.

Though there is significant internal and external pressure to strengthen the nation’s cybersecurity measures, specifically in light of the recent OPM and other high profile data breaches, lawmakers scuttled the vote, finding themselves unable to reach a consensus on which amendments should be included in the bill.

The proposed Act is not without controversy, however. Though it has been lauded by some security experts as an innovative method for strengthening cyber defense, privacy advocates and even the Department of Homeland Security (DHS or the “Department”) have expressed significant concern that CISA does not offer enough privacy protections for consumers and other users. The DHS published a letter taking issue with “the bill’s authorization to share [information] with any federal agency ‘notwithstanding any other provision [in] law’,” which the Department is concerned undermines protections afforded in part by the Stored Communications Act. The Department also expressed reservations about CISA’s requirement that entities submit data “in ‘real time’ and ‘not subject to any delay [or] modification’,” which could hamper efforts to scrub personally identifiable information from the shared data.

CISA will be reintroduced in the Senate during the September session, when Republicans and Democrats agreed that each party will have the opportunity to propose ten amendments to the bill. It remains to be seen whether the amendments will quell the concerns of civil liberty and privacy advocates while maintaining the support of the cybersecurity and cyber defense community.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.