After a prolonged debate and months-long consideration of amendments, on Tuesday the Senate passed S. 754, which includes the Cybersecurity Information Sharing Act (“CISA”) of 2015, by a vote of 74-21. CISA has the support of the White House and many industry stakeholders, but some of the most well-recognized privacy advocacy organizations oppose it. The House of Representatives must now decide whether to pass CISA or work with the Senate on compromise legislation that incorporates the House cybersecurity information sharing bills, H.R. 1560 and H.R. 1731. It remains to be seen what form the final cybersecurity information sharing bill will take, but the Senate’s overwhelming vote for CISA suggests that the chances for overall passage are stronger than ever.
At its core, CISA creates liability protections for entities that monitor their information systems and share cyber threat information with, or receive information from, the federal government through the mechanisms established in the bill. Privacy advocates argue that these liability protections facilitate ever-increasing government collection of citizens’ data without sufficient privacy safeguards. The authors of CISA try to mitigate these concerns by requiring that certain personal information be removed from the information that is shared with the government. However, the authors maintain the liability protections in the bill because they are viewed as fundamental to encouraging participation in the voluntary information sharing program.
Key elements of CISA include the following:
- No new mandatory information sharing requirements. CISA creates a voluntary information sharing program run by the federal government to disseminate information about cyber threats. An entity that has experienced a cybersecurity incident has no obligation under this bill to share information with the federal government (although an entity may have notification obligations arising under separate data breach notification laws). Section 108(h) of the bill states that the legislation shall not be construed to: require an entity to provide information to a federal entity or another entity; condition the sharing of cyber threat indicators with an entity on the entity’s provision of cyber threat indicators with a federal entity or another entity; or condition the award of any federal grant, contract, or purchase on sharing cyber threat indicators to a federal entity or another entity. Similarly, Section 108(i) states that the legislation shall not be construed to subject any entity to liability for choosing not to participate in the information-sharing program.
- Duty to protect information and remove certain personal information. Section 104(d) requires an entity that monitors an information system (defined to include industrial control systems), operates a defensive measure, or provides or receives information about cyber threats or defensive measures under this section to implement a “security control” to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure. The bill defines a security control as the management, operational, and technical controls used to protect against unauthorized access to the system or information. Section 104(d) also requires participating entities to remove certain personal information prior to sharing cyber threat information with the federal government. The bill requires an entity to remove any information the entity knows to be personal information or information that identifies a specific person not directly related to a cybersecurity threat. The term “personal information” is not defined in the bill.
- Liability protections. CISA provides a number of liability protections to entities regardless of whether they choose to share information with the federal government. Section 106(a) provides an entity liability protection for the monitoring of its information systems or another entity’s information systems with written consent. Section 106(b) provides an entity liability protection if it shares or receives cyber threat information pursuant to this bill. However, according to Section 106(c) these liability protections do not extend to an organization that has engaged in gross negligence or willful misconduct in the course of conducting these activities.
- Authorization to undertake defensive measures. Section 104(b) clarifies that an entity can take “defensive measures” to protect the rights or property of the entity. Section 102(7) defines a defensive measure as a measure that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. A defensive measure does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or data on an information system that does not belong to the entity operating the measure or to another entity that has provided consent to the operation of such measure. Additionally, CISA does not define what “rights” and “property” can be protected by a defensive measure.
After enactment, implementation of the bill requires additional work by federal departments and agencies, including the creation of standards for federal agency receipt and sharing of cyber threat information, and guidelines for the private sector and other non-federal entities to submit such information.
Overall, CISA aims to create incentives for the private sector to share information with, and receive information from, the federal government. The bill attempts to address privacy concerns by instructing participants to remove personal information from the information exchanged. Entities that see the utility in such information sharing arrangements would at this time be prudent to start considering what information they would share, the types of information they would like to receive, and how to assess and remediate cyber risks they learn about through the bill’s information sharing program. However, entities may wish to avoid significant changes to their current information sharing strategies and cyber countermeasures until the legislation is enacted and agency regulations and guidance becomes clearer.