By Darryl Drevna
In something of a response to the EU’s invalidation of Safe Harbor earlier this month, the Senate voted 74 – 21 to pass the Cybersecurity Information Sharing Act (CISA) on Tuesday. The bill was originally introduced by Sen. Dianne Feinstein (D-CA) in June 2014, in the wake of several high-profile cyber-attacks on US companies.
CISA is designed to encourage companies to share information on cyber-attacks by offering liability protections to companies that share or receive indicators or defensive measures regarding cyberattacks with the federal government, specifically the Department of Homeland Security (DHS). This liability protection is concerning to civil libertarians, who have criticized the bill as a surveillance, rather than a cyber-security measure, as DHS could share the information with other agencies, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). During the floor debate before passage, Sen. Richard Burr (R-NC), who co-sponsored the bill, emphasized that the program will be voluntary and that companies will not be required to participate. It is not yet clear how CISA may affect the ongoing negotiations between the European Commission and the Department of Commerce on a new “Safe Harbor” agreement to replace the framework invalidated by the EU Court of Justice.
Before approving the bill, the Senate rejected four amendments that were intended to address privacy concerns. The Senate also rejected an amendment offered by Sen. Rand Paul (R-KY) that would have stripped immunity from companies that break privacy agreement with their customers.
The bill will head to a conference with the House where differences on how information is shared with the government will need to be addressed. House and Senate staff will combine three bills into a final measure that will need to pass both chambers. In April, the House overwhelmingly passed two cybersecurity bills, the Protecting Cyber Networks Act (H.R.1560) (“PCNA”) and the National Cybersecurity Protection Advancement Act (H.R. 1731) (“NCPAA”). The PCNA, which CISA largely mirrors, is designed to improve communication and sharing of information about cyber threats, vulnerabilities, and cyberattacks between corporations and government agencies. Congress hopes that the PCNA will provide companies with a real-time notice and response system to better deter attacks and warn other network and infrastructure operators about new techniques being deployed by advanced hackers. The PCNA does provide some privacy provisions, however, including a requirement that companies remove or scrub Personally Identifying Information unrelated to or unnecessary for analysis of the alleged threat.
The NCPAA grants companies protection against liability for sharing data with the Department of Homeland Security (“DHS”) by amending the Homeland Security Act of 2002 to encourage voluntary information sharing about cyber threats, with liability protections, between and among the private sector and Federal government. Without these liability protections, companies sharing data pursuant to the PCNA could expose themselves to class actions or increased regulatory enforcement actions. Responding to privacy concerns, the NCPPA also includes numerous provisions to ensure the protection of the privacy of American citizens and ensure that shared cyber threat information is solely used for cybersecurity purposes.
Sen. Burr said that a conference with the House could begin as soon as this week, but that a final package likely will not be ready until 2016. The President is expected to sign the final measure.
By Darryl Drevna