The Cybersecurity Information Sharing Act (CISA), S. 754, was signed into law by President Obama on December 18, 2015 as part of the larger 2016 Omnibus Spending Bill, and arrived on the cybersecurity landscape with an equally strong set of supporters and opponents. With strong views on both sides, CISA is the first step in building what all will likely agree is of critical importance – improving cybersecurity in the United States. The purpose of the law is designed to allow and encourage sharing of “cyber threat information,” or Internet traffic information, between government, technology and manufacturing entities, taking initial baby steps toward bridging what some see as a gap existing between the public and private sectors on this front.
In the private sector, business community supporters include the United States Chamber of Commerce (whose president has made several statements endorsing the need for these standards and the prior legislation), the National Cable & Telecommunications Association, the Financial Services Roundtable, and the Cyber Threat Alliance – comprised of Palo Alto Networks, Fortinet, Symantec and Intel Security Group. Major opponents within the business community include the Computer & Communications Industry Association, which is comprised of members such as Google, Yahoo!, Amazon.com, Cloudflare, Netflix, Facebook, Twitter, Yelp and Apple, among others.
In addition to requiring greater cybersecurity information sharing between federal agencies, namely the Director of National Intelligence (DNI), the Secretary of Homeland Security (DHS), the Secretary of Defense (DOD) and the Attorney General (DOJ), the crux of the new law requires these same groups to develop and promulgate procedures for real-time sharing of classified and de-classified “cyber threat indicators” and “defensive measures” among private entities, and other non-federal government agencies, such as state, tribal or local governments. Within the scope of unclassified information or data, the actual “cyber threat information” identified for sharing is comprised mainly of technical data, often in the form of log, report or other similar audit trail tracking statistics – all of which is designed to describe and annotate various cyber threat detection and prevention data points. Within the scope of classified information or data, the law restricts the types of parties for information sharing within this category of data to only those entities with appropriate security clearances, if not an approved government agency.
While this public to private directional sharing may be acceptable and even expected, questions around the role of private to public directional sharing still remain, particularly in the context of what may become newly open access channels for private companies directly with the Department of the Defense (including the NSA) as well as the DHS, among others. Of specific concern is the provision that allows private companies, in the standard course of their cybersecurity efforts performed on their own information systems (e.g. penetration/perimeter testing, vulnerability scans, internet traffic audits), and, with written consent, those information systems maintained by other private or public entities, to share any resulting data with immunity from litigation. In fact, an important component of the original legislation was to allow for, in essence, a safe harbor for companies to report and share this information appropriately up the chain without fear of legal liability for doing so. Questions also surround the definition for the threshold, or context, under which this information can be publically shared. Earlier drafts of this legislation beginning in 2014 called for a more narrow standard or threshold requirement, only in the case of an “imminent threat,” versus the language that most recently-passed legislation now enacted into law requiring what some view as less stringent standard, a “specific threat.”
Opponents of the new law have expressed additional concerns around the safety of information sharing entirely, including the fundamental question of how Personally Identifiable Information (PII) will be protected in this future process. They suggest that new procedures may inherently undermine data privacy and civil liberty protections for individuals as an inadvertent consequence of the information sharing framework. Proponents have responded to these assertions by noting that the law requires both public and private sector entities to scrub personal information from any shared data prior to distribution.
Knowing the inherent challenges posed by scrubbing requirements particularly against populations of Big Data, it seems likely that as policies and procedures are built and developed, they may include some forms of artificial intelligence, predictive coding/ranking, vector space analysis and latent semantic analysis technologies already being deployed to solve e-discovery challenges in the legal and financial services sectors. Building and transforming these processes to run in accordance with the real-time delivery expectation, however, will be a challenge no matter how the data can potentially be sliced and diced to remove or redact PII, so please stay tuned as we monitor what looks to be fast-track progress ahead for this important new law. Next steps show a deadline of February 16, 2016 for an initial draft of interim CISA policies and procedures to be submitted to Congress for review, and final form policies and procedures to be completed by June 15, 2016.
Please contact a member of our KMK Cybersecurity & Privacy Team to assist with any aspect of risk management, information governance plans, policies, procedures and technologies, and defense of litigation arising from cyber-attacks and data breaches.
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Data Breach
- Privacy Laws
- Class Action Litigation
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Cyber Insurance
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures
- New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach
- Target Class Action Settlement Temporarily Upended
- Spokeo Continues to Divide the Lower Courts in Cybersecurity Litigation
- Cyber Breach Incident Notification Guidelines Ahead
- CyberSecurity News: Spokeo, Galaria and Braitberg
- Privacy Class Action Dismissed Under Spokeo