On October 27, 2015, the Cybersecurity Information Sharing Act of 2015 (CISA), passed the Senate, by a 74-21 vote. The bill’s passing by such an overwhelming majority is a crucial step towards the controversial CISA becoming law, with support from some security experts and to the chagrin of other privacy advocates.
CISA’s underlying purpose is to encourage the sharing of cyber threat information amongst private entities and between private entities and the federal government. The bill permits an entity to share with any other entity or the federal government (or vice versa) “cyber threat indicators” and “defensive measures” that are consistent with a “cybersecurity purpose.” Essentially, this amounts to the sharing of technical data that indicates how networks have been attacked, and how the government or private entities have successfully detected, prevented, or mitigated such attacks. The bill does not specify the procedures by which cyber threat information will be shared, but private entities are directed to share any information with the Department of Homeland Security.
To facilitate information sharing, CISA affords significant protections for entities that wish to participate in the program. Under the bill, a private entity may monitor its information system or, with proper authorization and written consent, the information system of another entity. This encompasses all information stored on, processed by, or passing through the information system at issue, as long as the monitoring is done for a “cybersecurity purpose” – i.e., to protect the information and/or information system from a cybersecurity threat or vulnerability.
Private entities that take advantage of CISA are effectively immune from liability stemming from their activities under the bill. CISA expressly prohibits any cause of action against any private entity for the monitoring of information or information systems in accordance with the bill. The bill’s opponents argue that this strips individuals of basic privacy protections since, though entities may choose whether or not they participate in the program, individuals themselves are unable to opt out of CISA-sponsored monitoring. Compounding this concern are CISA provisions that permit the federal government to share information disclosed under the bill with other federal agencies or departments under certain circumstances, such as the FBI or NSA. Advocates of the bill counter that, prior to sharing cyber threat information, entities are required to review and remove information “that the entity knows at the time of sharing to be personal information or information that identifies a specific person not directly related to a cybersecurity threat.”
The Senate’s ruling is clear evidence of lawmakers reacting to the high profile security incidents occurring in recent years. The tension between security and privacy will continue to play out while CISA awaits reconciliation with similar legislation passed in April by the House of Representatives. CISA is likely to become law once it reaches the Obama administration, which has already expressed its support for the security measure. We will follow the bill as it progresses on our blog.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.