Washington—Senate Intelligence Committee Vice Chairman Dianne Feinstein (D-Calif.) today released a list of privacy provisions included in the recently passed Cybersecurity Information Sharing Act, known as CISA.
“We learned many lessons from earlier attempts to pass this legislation, most notably that any information sharing bill must include robust language to safeguard personally identifying information,” Senator Feinstein said. “Any suggestion that this bill doesn’t take personal privacy seriously is flat out wrong. We worked closely with privacy groups and the White House to make sure this bill had robust privacy protections, and the strong bipartisan vote and administration support shows that we succeeded. The bottom line is that we don’t have to choose between sharing cyber threat information and securing personal data; we can do both at the same time.”
The Senate on October 27 passed the Cybersecurity Information Sharing Act by a vote of 74-21. The bill creates an environment that encourages the sharing of cyber threat information while safeguarding personal data.
How the bill protects personal information:
- Any company that participates in the voluntary sharing of information may only share limited types of information and is required to conduct a privacy review and remove any identified personal information prior to sharing.
- Only cyber threat indicators and defensive measures, which are narrowly defined, can be shared—not unrelated customer or personal information.
- The government will further review information upon receipt to remove any personal information, and can only use the cyber information it receives for defined cyber-related and limited public safety purposes.
Below are some of the most significant privacy protections to ensure that personal information is protected from transfer, use or disclosure:
- The bill is completely voluntary. Companies can decide whether to share information with the government or with other companies, or can decide not to participate. The government can’t compel or coerce companies to participate, and can’t condition other benefits or contracts on their participation (augmented by Flake Amendment 2580).
- The bill limits the kinds of information that the government or companies may share to “defensive measures” and “cyber threat indicators,” which are narrowly defined. The bill’s legal authorizations and liability protections do not apply to sharing other kinds of information.
- Companies can only monitor their networks or share cyber threat information for cybersecurity purposes (managers’ amendment).
- Companies can only monitor the networks of individuals or other companies with authorization and written consent (augmented by Cotton Amendment in committee).
- Prior to sharing information, the government and companies are required to conduct a mandatory privacy review and remove privacy information not directly related to a cybersecurity threat.
- All information received by the government will be covered by procedures and mandatory privacy protections established by the Attorney General that:
- Limit on how long the government can retain information it receives;
- Set sanctions for any violations of the bill by Federal officials;
- Specify additional privacy protections, including notification in the event of mistakenly shared information; and
- Include publicly available guidance to assist companies on the types of information that could be considered cyber threat indicators and those types that would be protected under otherwise applicable privacy laws (Heinrich Amendment in Committee);.
- Liability protection for sharing with the government does not go into effect until interim Attorney General privacy guidelines are developed and requires incorporation of private sector expertise in developing them (Hirono-Rubio Amendment in committee).
- Most sharing of cyber threat information with the federal government will go through a central, civilian process (a “portal”) at the Department of Homeland Security, not directly to defense or law enforcemen
- Exemptions to the use of the DHS portal for sharing information in previous versions of the bill have been removed and further narrowed (managers’ amendment).
- The Department of Homeland Security will have the ability, in concert with other defined federal agencies, to apply automated methods to strip out personal or other inappropriate information (Carper Amendment 2615).
- Federal recipients of information will have to review and remove any information that is not a cyber threat indicator or a defensive measure.
- The government can only use voluntarily shared information for specified purposes, to include cybersecurity purposes, cyber crime, and preventing imminent physical attacks. Provisions that would allow additional uses of cyber threat information have been removed from the bill (managers’ amendment).
- The government is required to have procedures on how to notify individuals if the government discloses their personal information in the course of sharing cyber threat information (Wyden Amendment 2622).
- Multiple levels of oversight of the information sharing system are required by senior government officials, inspectors general, the Privacy and Civil Liberties Oversight Board, and the Congress (augmented by Lankford Amendment in committee and Tester Amendment 2632).
- The bill expressly limits the authorization for a company to use “defensive measures” on its own network and does not authorize a company to defend its network by gaining unauthorized access to other networks (managers’ amendment).
- A provision was removed from the bill that would have created a new statutory exemption to the Freedom of Information Act to cover cyber threat information (managers’ amendment).
- The bill sunsets in 10 years from the date of enactment (Flake Amendment 2582).
- The bill includes several provisions to improve the federal government’s cybersecurity. As poor cybersecurity at federal offices such as the Office of Personnel Management have resulted in the compromise of millions of people’s records, improved federal cybersecurity will enhance privacy (Carper Amendment 2627, Hatch Amendment 2712).