The U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754) today. In material part, the bill:
- establishes a voluntary framework for real-time information sharing of “cyber threat indicators” and “defensive measures” between private organizations (defined to also include state and local governments) and the federal government;
- with respect to information sharing among private organizations, provides for the liability protections described below, and exempts such information sharing from “any provision of antitrust laws” (with certain exceptions);
- includes provisions requiring the removal of personally identifiable information (“PII”) prior to sharing, and security controls to prevent unauthorized access to the information shared;
- requires the government to periodically release “cybersecurity best practices” developed based on the information sharing framework;
- includes liability protection for monitoring and information sharing pursuant to the Act. The liability protection is limited, however, because it does not apply to gross negligence or willful misconduct, and does not limit “otherwise applicable common law or statutory defenses.” The definition of “cybersecurity threat” specifically excludes “action that solely involves a violation of a consumer term of service or a consumer licensing agreement,” such that there would be no immunity for such actions.
Title II, the “Federal Cybersecurity Enhancement Act,” imposes a series of new cybersecurity requirements on government agencies (not including the Department of Defense or intelligence community), such as the development of an “intrusion assessment plan” to “identify and remove intruders” in government information systems, and the deployment of capabilities for federal agencies to detect and remove cybersecurity risks. Title III, the Federal Cybersecurity Workforce Assessment Act, requires the government to assess the state of federal government cybersecurity workforce needs. And Title IV contains a variety of miscellaneous provisions relating to cybersecurity, including provisions calling for studies and the development of voluntary cybersecurity best practices for the health care industry and emergency response providers, and development of a mitigation strategy for cybersecurity attacks on critical infrastructure.
By way of background, CISA was introduced in March 2015, following the White House’s proposed information sharing legislation released in January 2015. We previously analyzed the White House proposal, and some of the key differences between it and the House of Representatives’ information sharing legislation, the Cyber Information Sharing and Protection Act (“CISPA”). CISA more closely resembles the White House proposal, which also sought to establish a voluntary framework for cybersecurity data sharing between private organizations and the federal government. The key differences lie in CISA’s narrower liability limitations and privacy protections. In contrast to the White House’s proposal, which already narrowed CISPA’s liability limitations, CISA does not limit the use of evidence in regulatory proceedings, is inapplicable to gross negligence or willful misconduct, and expressly does not limit “otherwise applicable common law or statutory defenses.” CISA’s privacy protection provisions are also less extensive, requiring only removal of information the government or a private entity “knows at the time of sharing” to be PII that is “not directly related to a cybersecurity threat.” Amendments were rejected that would have required companies to remove PII “to the extent feasible” and for the government to remove PII it “reasonably believes” is not directly related to cybersecurity. CISA does require the government to establish privacy guidelines for the data sharing to, for instance, “limit the impact on privacy” and limit “receipt, retention, use, and dissemination” of PII.
The White House generally supports CISA, which includes a number of changes sought by the Obama administration, but remains concerned with the language regarding “defensive measures” and would oppose efforts to increase the current liability limitation provisions. The Chamber of Commerce and several financial industry groups also support CISA, but have not weighed in on a number of the other provisions recently added to the bill. Critics of the bill have pointed to privacy concerns due to the potential for increased government surveillance and damage to network infrastructures. These concerns previously animated the Computer and Communications Industry Association, among others, to oppose CISA. And a coalition of public interest groups also registered its strong opposition to the bill on privacy grounds. Now that the Senate passed the bill, CISA still needs to be reconciled with two cybersecurity measures that passed the House in April, and the final reconciled version would need to pass again in both the House and the Senate. Thus, Sen. Feinstein has noted that there was still “a long road ahead” before CISA ultimately would become a bill for the President’s signature.