On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.
The purpose of CISA is to provide enhanced sharing of information relating to cybersecurity threats between the private sector and the federal government. The Senate and House bills provide:
- A mechanism for information sharing coordinated by a federal agency;
- Authorization for private entities to undertake such sharing and defensive cyber actions; and
- Liability protections for actions that qualify as information sharing or specific actions undertaken to defend or monitor corporate networks and protections against disclosure under FOIA.
There are differences between the Senate and House bills that need to be worked out in order to clarify the ultimate effects of the legislation and clear its pathway to becoming law. One major area for continued debate may relate to privacy protections, where several failed amendments received significant support in the Senate and backing from tech companies, but were not reflected in the Senate bill as passed. Vocal advocacy from privacy and civil liberties groups may continue to make this a focus during the conferencing process.
Key differences between CISA and the House bills include:
- Privacy protections: The House bills provide that entities shall, prior to sharing information, “take reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risk or incident and to safeguard information that can be used to identify specific persons from unintended disclosure or unauthorized access or acquisition.” H.R. 1731 § 3 (i)(3)(c). In contrast, CISA specifies that entities shall, prior to sharing information, “review such cyber threat indicator to assess whether such cyber threat indicator contains any information that the entity knows at the time of sharing to be personal information or information that identifies a specific person not directly related to a cybersecurity threat and remove such information; or to implement and utilize a technical capability configured to remove [any such information]. . .” S. 754 (d)(2)(A and B). Privacy advocates and businesses will have differing views over the appropriate standards of protection that personal information should receive in the voluntary information sharing regime, especially as information sharing becomes common practice. Importantly, the House’s “reasonable efforts” standard may expose businesses to liability for information sharing as is a standard that can be interpreted by the courts. The potential of exposure to liability may serve to limit corporations from conducting the very information sharing the bill seeks to further.
- Information sharing mechanisms: Another key difference is relates to how information would be shared with the government. Under the House bills, companies would be able to share information with multiple federal agencies. But in the Senate version, CISA would establish a portal at DHS, and DHS could then disclose the information to other agencies or to the private sector only after taking steps to ensure that personal information had been removed.
- Determination of adequacy: CISA would require DHS and other agencies to determine whether certain critical infrastructure entities have provided sufficient and adequate information. The Secretary of DHS would be required, in conjunction with the appropriate agency regulating the covered entity, to develop strategies to address the cybersecurity of each covered entity. These strategies would include an assessment of whether each entity should be required to report cyber security incidents and a description of any identified security gaps that must be addressed. The House bills do not include such requirements. Some industry proponents have raised concerns that such a requirement would create duplicative regulatory oversight, establish a path towards mandatory reporting, and further complicate compliance efforts.
- Healthcare cybersecurity: CISA requires the Department of Health and Human Services to report on cybersecurity and directs the Department to develop cybersecurity standards for healthcare information. Such provisions are not included in the House bills and will have to be worked out in conference but appear to be supported by elements of the healthcare industry.
- Sunset: CISA has a ten-year sunset. The House bills have seven-year sunset provisions. This difference will be addressed in the conferencing process.
Provisions like these will be important to watch as the legislation makes its way toward becoming law. The White House has urged Congress to move “expeditiously,” but Senator Burr has already declared that the conference process is likely to “move at a very slow pace.”