CISA Passes: What It Means for Organizations and Their Data

The Cybersecurity Information Sharing Act, S. 754 (CISA) was passed by the Senate on Oct. 27, and while it still has a few hoops to jump through before it is enacted into law, the hotly debated proposed rules may considerably impact both those organizations holding sensitive data and the users to which that data belongs.

On one hand, the Act would extend protections to organizations who decide to share information with the Department of Homeland Security and the FBI, pooling it in a database designed to aid U.S. authorities in their ongoing war with cybercriminals. But on the other hand, privacy advocates believe the verbiage of the Act is far too broad in the protections it offers, and not explicit enough about how the government intends to use the information that it collects through its efforts.

Criticisms of the Act

Still, the possibility that U.S. authorities can create a better means of tracking and identifying hacking incidents can be attractive for those who are subject to attacks.

According to John Stephens, a partner at Sedgwick, the Act hopes to “encourage different entities to share information regarding breaches, because right now there's a strong incentive not to share. If a breach doesn't involve personal identifiable information, there's no reporting required.”

That lack of reporting requirements may not insulate an organization from risks concerning its reputation in a marketplace, or from backlash from investors, but the obfuscation of data breach details could mitigate potential damages. However, having a network to share the details of an attack without broader reporting requirements, the Act argues, would have the net benefit of helping similarly targeted organizations protect themselves from future attacks.

Stephens explains: “The way it works right now is you have a lot of incidents occurring with no central database synthesizing and analyzing the information. That's a problem because many hackers follow certain trends. If you can establish a pattern or a trend, you can establish what these bad actors are doing and potentially determine what they'll target next.”

Those companies that decide to engage in the protections afforded by the Act would not only gain better insight to the cyber risk ecosystem, but would also receive protection from any other statutes that prohibited the exchange of personal data.

“Those protections address any statutory language out there in any form, whether it's a state or federal law, which specifically prohibits the sharing of data without permission from the owner of that data,” Stephens says. “This would entail risk to any entity sharing that data, but this Act now provides a shield with which to do that. This comes after a number of statutes that have already been written that specifically apply liabilities and penalties regarding the sharing of that information.”

While there is certainly some information to be gleaned from the data shared in the proposed central repository, the Act has still been a point of friction for privacy advocates, who contend that details of the government's use for the data after it has been collected is not at all clear. As a result, the immediately identified benefit to organizations could be eroded by the exposure to litigation that sharing data with the government could herald.

According to Brenda Sharton, partner and chair of business litigation for Goodwin Procter, “from the standpoint of companies, what the government is saying is, 'We're giving you some limited liability.' But when you look at it, there are a lot of holes concerning what the protection actually does. Willful misconduct, gross negligence ' these things aren't protected and are often ill defined. You have a situation where plaintiff's lawyers can bring claims, so companies will still be facing lawsuits. There's a question of how much companies are really getting out of this if they're not receiving protection from those suits while offering information to the government.”

Likewise, opponents of the Act fear that pooling personal data has an impact on the data directly inverse to the goal of the program; exposing it to more breach risk, rather than making breaches less likely.

High-Profile Breaches Led to Passage

The passage of CISA in the Senate was largely predicated by the surge in data breaches targeting well-known organizations over the last two years. However, as we've seen over the last year with breaches targeting the Office of Personnel Management, the Postal Service and the Internal Revenue Service, the U.S. government is not immune from breaches itself. Absent tighter security methods, a shared pool of information may not only leak untold sums of personal identifying information (PII) for organizations, but also tip the U.S.'s hand concerning ongoing strategies that target cybercriminals.

As Sharton points out: “Any time you have the government collecting that much data, there are issues. The first fundamental problem is just in moving the data; you increase the risk of breach whenever you move it. It could, for example, go to the wrong place, or be handled poorly along the way. Secondly, you have it sitting on government servers, so you're now multiplying the locations where that data is held and in doing so multiply the potential surface areas of a breach. Third, there do not appear to be rules in the Act that limit what the government can do with the data. It doesn't say, 'This data can't be used for purposes unrelated to cybersecurity,' for example.”

Chris DiMarco writes for Legaltech News, an ALM sibling of e-Commerce Law & Strategy.

The Cybersecurity Information Sharing Act, S. 754 (CISA) was passed by the Senate on Oct. 27, and while it still has a few hoops to jump through before it is enacted into law, the hotly debated proposed rules may considerably impact both those organizations holding sensitive data and the users to which that data belongs.

On one hand, the Act would extend protections to organizations who decide to share information with the Department of Homeland Security and the FBI, pooling it in a database designed to aid U.S. authorities in their ongoing war with cybercriminals. But on the other hand, privacy advocates believe the verbiage of the Act is far too broad in the protections it offers, and not explicit enough about how the government intends to use the information that it collects through its efforts.

Criticisms of the Act

Still, the possibility that U.S. authorities can create a better means of tracking and identifying hacking incidents can be attractive for those who are subject to attacks.

According to John Stephens, a partner at Sedgwick, the Act hopes to “encourage different entities to share information regarding breaches, because right now there's a strong incentive not to share. If a breach doesn't involve personal identifiable information, there's no reporting required.”

That lack of reporting requirements may not insulate an organization from risks concerning its reputation in a marketplace, or from backlash from investors, but the obfuscation of data breach details could mitigate potential damages. However, having a network to share the details of an attack without broader reporting requirements, the Act argues, would have the net benefit of helping similarly targeted organizations protect themselves from future attacks.

Stephens explains: “The way it works right now is you have a lot of incidents occurring with no central database synthesizing and analyzing the information. That's a problem because many hackers follow certain trends. If you can establish a pattern or a trend, you can establish what these bad actors are doing and potentially determine what they'll target next.”

Those companies that decide to engage in the protections afforded by the Act would not only gain better insight to the cyber risk ecosystem, but would also receive protection from any other statutes that prohibited the exchange of personal data.

“Those protections address any statutory language out there in any form, whether it's a state or federal law, which specifically prohibits the sharing of data without permission from the owner of that data,” Stephens says. “This would entail risk to any entity sharing that data, but this Act now provides a shield with which to do that. This comes after a number of statutes that have already been written that specifically apply liabilities and penalties regarding the sharing of that information.”

While there is certainly some information to be gleaned from the data shared in the proposed central repository, the Act has still been a point of friction for privacy advocates, who contend that details of the government's use for the data after it has been collected is not at all clear. As a result, the immediately identified benefit to organizations could be eroded by the exposure to litigation that sharing data with the government could herald.

According to Brenda Sharton, partner and chair of business litigation for Goodwin Procter, “from the standpoint of companies, what the government is saying is, 'We're giving you some limited liability.' But when you look at it, there are a lot of holes concerning what the protection actually does. Willful misconduct, gross negligence ' these things aren't protected and are often ill defined. You have a situation where plaintiff's lawyers can bring claims, so companies will still be facing lawsuits. There's a question of how much companies are really getting out of this if they're not receiving protection from those suits while offering information to the government.”

Likewise, opponents of the Act fear that pooling personal data has an impact on the data directly inverse to the goal of the program; exposing it to more breach risk, rather than making breaches less likely.

High-Profile Breaches Led to Passage

The passage of CISA in the Senate was largely predicated by the surge in data breaches targeting well-known organizations over the last two years. However, as we've seen over the last year with breaches targeting the Office of Personnel Management, the Postal Service and the Internal Revenue Service, the U.S. government is not immune from breaches itself. Absent tighter security methods, a shared pool of information may not only leak untold sums of personal identifying information (PII) for organizations, but also tip the U.S.'s hand concerning ongoing strategies that target cybercriminals.

As Sharton points out: “Any time you have the government collecting that much data, there are issues. The first fundamental problem is just in moving the data; you increase the risk of breach whenever you move it. It could, for example, go to the wrong place, or be handled poorly along the way. Secondly, you have it sitting on government servers, so you're now multiplying the locations where that data is held and in doing so multiply the potential surface areas of a breach. Third, there do not appear to be rules in the Act that limit what the government can do with the data. It doesn't say, 'This data can't be used for purposes unrelated to cybersecurity,' for example.”

Chris DiMarco writes for Legaltech News, an ALM sibling of e-Commerce Law & Strategy.