Does the Cybersecurity Information Sharing Act Come at A Cost?
October 30, 2015
On October 27, 2015, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA), which is intended to address the increasing number of corporate data breaches.
However, critics of the Cybersecurity Information Sharing Act contend that the lack of privacy protections opens the door for wide scale government surveillance.
The stated goal of Cybersecurity Information Sharing Act is to promote information sharing regarding cyber threats impacting the private sector. Under the proposed legislation, federal agencies, such as the Department of Homeland Security, will alert businesses about potential threats. At the same time, businesses will share information about cyberattacks or data intrusions. Companies that participate in the program would be shielded from liability for violating privacy-protection or antitrust laws.
Civil liberties groups, privacy advocates, and technology companies, including Apple, Amazon, Microsoft and Google, vehemently oppose Cybersecurity Information Sharing Act in its current form. They maintain that the law fails to sufficiently protect users’ privacy or appropriately restrict how the federal government can use the information it receives. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy,” Apple wrote in a statement to the Washington Post.
Civil liberties groups are also concerned that corporations who participate in the program may not safeguard their customers’ privacy. “The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” according to Mark Jaycox, a legislative analyst for the Electronic Frontier Foundation. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”
On the other side, Cybersecurity Information Sharing Act supporters argue that the statute will not be used to enable government surveillance, and is a necessary tool to stem the growing tide of corporate data breaches. They note that the program will technically be voluntary and that companies are required to remove personally identifiable information from any data shared with the government.
“I still say today to those folks in this institution and outside this institution that are concerned with privacy, I think [Senator Dianne Feinstein] and I have bent over backwards to accommodate concerns,” Senate Intelligence Committee chair Richard Burr stated during the Senate debate. “Some concerns still exist. We don’t believe they’re necessarily accurate, and only by utilizing this system will we understand if we’ve been deficient anywhere.”
The Senate passed Cybersecurity Information Sharing Act by a vote of 74 to 21 without addressing the privacy concerns, and the House of Representatives passed a similar version of the legislation earlier this year. Therefore, it is likely that a compromise bill will be on the President’s desk soon. We will continue to track the status of the legislation and post updates as they become available.
If you have any questions about the Cybersecurity Information Act please contact me, Fernando M. Pinguelo
Additional information and resources:
Cyber Security & Data Protection Law Group: https://scarincihollenbeck.com/practices/cyber-security-and-data-protection/
Crisis & Risk Management: https://scarincihollenbeck.com/practices/crisis-risk-management/