On October 22, the United States Senate moved one step closer to passing the Cybersecurity Information Sharing Act (CISA) by taking the act under consideration for the full Senate.  The CISA claims to improve cybersecurity by encouraging the sharing of threat information among companies and the U.S. government.  

Specifically, the CISA would permit private entities to share cyber threat indicators and defensive measures with other private entities and the federal government.  Companies would also receive legal protections from antitrust and consumer privacy liabilities for participating in the voluntary program.  

A number of major tech companies have come out in opposition to the proposed legislation due to concerns about privacy and the sharing of personal information.  For example, the Computer and Communications Industry Association recently wrote in a blog post that the “CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.  …  In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.” 

The CISA is co-sponsored by Sen. Dianne Feinstein (D-Calif.) and Sen. Richard Burr (R-N.C.), who said it was critical to limit increasingly high-profile cyberattacks.  The House of Representatives passed its version of the “Cybersecurity Information Sharing Act” in April with strong support from Republicans and Democrats.  If passed, the Senate and House versions would have to be reconciled before heading to the President’s desk.                                                                                                              

The final version of CISA may conflict with the recently signed California Electronic Communications Privacy Act (CalECPA), which Gov. Jerry Brown declared would be “the first comprehensive law protecting location data, content, metadata and device searches” from law enforcement.  CalECPA requires that law enforcement generally obtain a warrant, wiretap order, or subpoena before compelling or accessing electronic information except in emergency situations. 

The debate over “backdoors” for law enforcement was recently highlighted by numerous scholarly articles such as “Keys Under Doormats,” where cryptologists argued that backdoor mechanisms would create vulnerabilities in security tools such as encryption. 

You can follow the Consumer Financial Services Law Monitor for continued updates on this and other news stories.