On October 27, the United States Senate passed the Cybersecurity Information Sharing Act (“CISA”) by a vote of 74-21. CISA claims to improve cybersecurity by encouraging the sharing of threat information among companies and the U.S. Government.
As previously reported here, CISA would permit private entities to share cyber threat indicators and defensive measures with other private entities and the federal government. CISA would also offer certain protections from liability for companies that elect to voluntarily share information on cyberattacks and other cyberthreats among themselves and with the federal government. Companies would also receive legal protections from antitrust actions for participating in the voluntary program. The Senate bill also clarifies the measures that companies can take to identify and expel threats from their networks by enabling companies to avoid legal liability for monitoring information systems for cyberthreats and taking “defensive measures” to shut down the attack.
The bill, if implemented, would require federal departments and agencies to create standards for federal agency receipt and sharing of cyber threat information, as well as guidelines for the private sector and other non-federal entities to submit such information.
Prior to the bill’s passage, a number of senators unsuccessfully sought to amend CISA by reforming the bill’s privacy protections. Sen. Al Franken (D-Minn.) tried to add an amendment that would have narrowed the definition of “cybersecurity threat” and “threat indicators” covered by the bill. Franken’s amendment lost by a vote of 35 to 60. Another amendment from Sen. Ron Wyden (D-Ore.) would have required companies to remove personal data from those cyber threat “indicators” before sharing them unless that personal information is necessary to describe or identify the threat; it lost by a vote of 41 to 60.
The House of Representatives must now decide whether to pass CISA or work with the Senate on compromise legislation that incorporates the House cybersecurity information sharing bills, H.R. 1560 and H.R. 1731. The scope of the liability protections for both information-sharing and system monitoring, and the duty to protect information and remove certain personal information are likely to be three of the most contentious issues to be debated during the reconciliation process, which some lawmakers have predicted won’t be completed until January.
The final version of CISA may conflict with the recently signed California Electronic Communications Privacy Act (CalECPA), which Gov. Jerry Brown declared would be “the first … comprehensive law protecting location data, content, metadata and device searches” from law enforcement. CalECPA requires that law enforcement generally obtain a warrant, wiretap order, or subpoena before compelling or accessing electronic information, except in emergency situations.