Despite President Obama’s January signing of an Executive Order (EO) which outlines national cyber security policies in protecting U.S. companies and government agencies against cyber threats, the controversial Cyber Intelligence Sharing and Protection Act (CISPA) was passed in a 288-127 House vote sending it now to the Senate.¹
CISPA supporters say the act will help facilitate information sharing between private businesses and intelligence agencies since it legally protects businesses that shares suspicious data with agencies about its employees and customers, including email and social media activity. Under the mandate of “protecting the national security of the United States,” intelligence agencies are also allowed to collect personnel information from businesses as needed. However, CISPA drew heavy criticism from civil liberties groups and technology companies regarding its lack of consumer privacy protections. Vague language and fear of unaccountable surveillance spurred opposition from civil liberties groups who felt CISPA was more “surveillance legislation” than data protection and security legislation and gave too wide a berth to private information gathering under the guise of national security.
On the other hand, the Executive Order allows government data to be shared with private companies but does not include legal immunity for private sector companies that share people’s personal information with government agencies. Instead, it mandates that government agencies monitor the civil liberty impact of their cyber security programs and report on its effect on personal privacy.
In the current act, the rejection of four amendments regarding protecting privacy and personal information frustrated data privacy advocates. One of the rejected changes to the act exempted the National Security Agency, the Department of Defense and all military branches from receiving cyber threat information from private companies. Another rejected suggestion would have given consumers the right to hold companies legally responsible for misusing their private information or any misuse leading to a data breach. A proposal for a President-selected officer to establish government policies and procedures on the “retention, use and disclosure” of shared data was also shot down. However, the rejected amendment that was most disappointing was one proposing that companies should make reasonable efforts to remove all Personal Identifiable Information (PII) sharing information with the government.
CISPA still has some hurdles to cross before becoming law. Members of the Senate voiced opposition to the failed passing of the PII amendment and expressed concern that the bill gives too much liability protection to companies that share information with the government. Even if CISPA reaches the White House, President Obama has already released a statement that he will veto the bill in its current form citing the same concerns as the Senate. In 2012, the original CISPA act also met with opposition from the Obama administration who now also has its own Executive Order to support.
As the debate over which piece of legislation ultimately becomes our nation’s cyber security standard, what’s clear is that there is a fine line between gathering data security information in the name of national security and privacy protection. Ultimately, the legislation that wins will be the one that recognizes the importance of both data security and personal privacy while providing defined boundaries for both.