Should Companies Trust New Cyber Security Bill En Route to Passage in Senate?

Data

On March 12, 2015, the Senate Intelligence Committee took an important step in advancing a comprehensive bill titled the Cybersecurity Information Sharing Act of 2015 (“CISA”) aimed at bolstering U.S. companies and the federal government’s cyber security protections.  But some privacy watchdogs and other government officials are openly wondering whether the new bill is aimed more at protecting the country from cyber threats or at creating a backdoor into new surveillance programs.  As we discussed in our previous post regarding the White House’s creation of a new agency to address cyber security threats earlier this month, many businesses are wary of cooperating with a government that has not been wholly upfront with how it uses information that companies like Google or Apple have provided in the past.  However, the bill may have enough bipartisan support to pass the Senate as early as April, where it will move on to the House and likely the President’s desk.   Even though advocates are claiming that the new bill protects customers’ private information, some groups believe U.S. companies would not be aiding cyber security, but additional cyber surveillance.

The most recent Senate draft of CISA that passed the Senate Intelligence Committee was provided to the public on March 17.  At its core, the bill encourages private companies to share information on cyber threats with the government so that information flows more freely, while at the same time ensuring that the information shared does not contain customers’ private identifiable information.  To achieve this goal, the bill implemented a number of changes from the version in 2014 (as well as the version presented to the committee prior to any amendments) that failed aimed at securing additional privacy protections and making companies feel more secure about their potential liability for sharing sensitive information.

First, U.S. companies will only provide information voluntarily to the federal government; they cannot be compelled or pressured to do so.

Second, if companies do choose to share information with the government, they must take a number of steps to protect consumers:

  • They “must review such information and remove any personally identifying consumer information not directly related to a cyber-threat before sharing data.”
  • They must obtain affirmative consent from customers permitting the company to monitor the networks the customer is using.
  • The affirmative consent provided by customers is only good for “defensive measures” that a company would take on its own networks, and does not include “offensive or destructive activities” such as shutting down a network or sending malware through the network.  Defensive measures means “an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”  It does not include “a measure that destroys, renders unusable, or substanitally harms an information system or data on an information system not belonging to the private entity implementing the measure, a federal entity, or another entity that has provided consent for operation of the measure at issue.

Like the bill introduced by New York earlier this year, the bill would provide companies who choose to voluntarily provide information to the government with certain protections from liability as a means to incentivize them to comply.  Also like the New York bill, a failure to implement customer safeguards would bar any liability protections that could have attached otherwise.

Third, the bill also protects consumers from the government’s overreach into their private information by:

  • creating a portal at the Department of Homeland Security for all information to flow through so that any privacy policies can be uniformly implemented and avoid having such information flow through military and intelligence agencies.
  • limiting the government’s use of the data to only a few specific areas: cybersecurity purposes, investigating cyber-attacks, preventing imminent terrorist attacks and threats to life, and finally, “to investigate computer-related crimes and serious, violent felonies.”
  • mandating that the attorney general’s office create and enforce mandatory policies and procedures on the government that limit the amount of time it can keep the information companies provide it; impose penalties on government officials who abuse their power; and create additional privacy safeguards including customer notification of improper or erroneous use of information.

In large part because of the 12 amendments adding robust additional privacy protections to the new bill, it passed the Senate Intelligence Committee 14-1, with Senator Ron Wyden as the lone senator voting no due to his belief that the bill’s privacy protections do not go far enough. He called the bill a “surveillance bill by another name” and stated that he did not believe it would be effective enough in stopping future cyber-attacks.  Others are framing the bill as a Trojan Horse aimed at implementing the Patriot Act 2.0 under the guise of Cybersecurity.  The ACLU noted that because information sharing is voluntary, companies could provide customer information to the government without a warrant.

U.S. corporations have not made many indications yet as to whether or not they plan to support this new bill.   However, with the additional protections it gives them in sharing customer data with the government, it is likely to make them feel a whole lot safer from both external cyber-attacks, and privacy lawsuits from consumers.