Legislation To Permit Cyber-Intelligence Sharing: Why All The Fuss?
By Mary-Elizabeth Hadley
The White House recently joined a slew of privacy advocates in denouncing – and threatening to veto – the Cyber Intelligence Sharing and Protection Act (“CISPA”),
CISPA calls for voluntary information sharing between the government and private companies when a cyberthreat occurs. Chairman of the House Permanent Select Committee on Intelligence Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) reintroduced CISPA in February 2013. The House passed a previous version of the bill last April, but the legislation died in the Senate.
According to the While House, there are three major problems with the legislation. First, the bill should protect individuals’ personal information by only permitting the sharing of data that is relevant to the cyberattack. The bill currently permits companies to share user’s personal data – such as email content and internet records – and does not require companies to remove personal information prior to sharing it with the government or other organizations. While the bill directs the government to establish policies for limiting the amount of personal information shared, it stops short of requiring companies to do so.
In addition, the Obama Administration and other critics argue that a civilian agency should be tasked with managing the information, not an intelligence agency. This concern is partially addressed by an amendment to the bill. As revised, the bill provides that the “President shall designate an entity within the Department of Homeland Security” (“DHS”) as the “coordinating entity for cyber threat information.” H.R. 624 at 2. Similarly, “an entity within the Department of Justice” (“DOJ”) will be designated for the receipt of “cyber threat information.” Id. The change does not fully resolve the articulated concerns, however, because the bill does not require DHS and DOJ to remove personally identifiable information before sharing cyber threat information with appropriate federal agencies and departments, including those “with a national security mission in real time.” Id. at 3. Nor does the bill prevent companies from sharing data directly with the National Security Agency if they choose to do so.
The third major concern centers on immunity. The bill provides companies with blanket civil and criminal immunity for any “decisions made for cybersecurity purposes” to protect against a perceived cyber threat, provided they acted in “good faith.” H.R. 624 at 20. The measure defines “a lack of good faith” as “any act or omission taken with intent to injure, defraud, or otherwise endanger,” but does not carve out exceptions for corporations whose recklessness contributed to the exposure of data. Id. In other words, even a “reckless” company would be entitled to immunity. Rep. John Conyers (D-MI) sought to narrow the bill’s immunity provision, but his amendment failed to make it to the House floor.
Other amendments were more successful. An amendment introduced by Rep. Barton (R-TX), for example, provides that companies cannot sell users’ personal information for marketing purposes. The House also approved Rep. Sinema’s (D-AZ) amendment requiring DHS’s Inspector General to report to Congress annually on the use of cyber information shared with the Federal Government. Similarly, the bill requires DHS’s Office for Civil Rights and Civil Liberties to prepare an annual report assessing the data privacy and civil liberties impact of the sharing of cyber threat information, thanks to an amendment introduced by Rep. Sanchez (D-CA).
Despite these changes, widespread criticism of the bill remains. Whether legislation is ultimately enacted into law will depend heavily on the nature of any Senate bill and the success of the two bodies in reaching a compromise that resolves the Obama Administration’s concerns.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.