According to a 2013 study by the Center for Strategic and International Studies, cybercrime costs the United States an estimated $100 billion per year. Businesses and the government clearly have an interest in curbing those losses. On Oct. 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA, S. 754). While it still must be reconciled with the House version, and then signed into law by the president, the bill seems likely to be enacted into law sometime in early 2016.
So what exactly is CISA? The bill is built on the premise that both private businesses and the federal government have a mutually vested interest in security from cyberattacks and that, currently, information is insufficiently shared between public and private entities. Better sharing of information about new cyber intrusions could help better defend against future attacks, proponents of the law argue.
Thus, Title I of CISA includes provisions to encourage the sharing of information between private and public entities. On its face, the bill appears to be a two-way street. It allows the government, through procedures to be established by the Director of National Intelligence, the secretaries of Homeland Security and Defense, and the attorney general, among others, to share classified threat information with appropriately cleared individuals in the private sector. On the other side of the street, the bill empowers and authorizes the private sector to monitor or deploy “defensive measures” on their own systems for cybersecurity purposes or with a third party’s system, including the government’s. It also creates a framework for the private sector to voluntarily share information with the government through the Department of Homeland Security. This sharing of private sector customer data with the government is the crux of the bill. In short, private companies would be given new authority to monitor their users, and would be encouraged to share “cyber threat indicators” with the government.
If the prospect of your business interacting with the Director of National Intelligence and Department of Homeland Security makes the collar around your neck feel a bit tight, there are some provisions of the bill that may provide you with some comfort. CISA precludes the government from requiring any “entity to provide information” to the government or a third party, and explicitly states that no liability exists “for choosing not to engage in the voluntary activities authorized in this title.” In other words, participation is voluntary.
(Continued)
Â
To incentivize the sharing of information from the private sector to the government, the bill establishes liability protections for certain monitoring and information-sharing activities. Most importantly, the bill provides that “[n]o cause of action shall lie or be maintained in any court against any private entity” for the monitoring and sharing of cyber threat indicators or defensive measures authorized by the bill. The only limitation to that protection is that it does not apply to “gross negligence or willful misconduct.” The liability protections also do not apply to “any action that solely involves violation of a consumer term of service or a consumer licensing agreement.” The bottom line is that CISA will provide your business with the ability to more actively monitor your users, and to share information with the government, while providing your business with protections from liability in those activities.
So, is it good business to share your customers’ information with the federal government? Companies you may have heard of, like Apple and Dropbox, say “no.” In a rare statement about proposed legislation, Apple weighed in: “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.” And Apple is not alone. Privacy advocates attack the bill as simply another means of the federal government to collect personal information of U.S. citizens and build massive databases of that information.
You may have to decide very soon whether participating in CISA is good for your business. While it will take months after enactment of the law for the various government agencies to develop procedures to put the law into action, your business should develop policies and plans to address the consequences of participation or non-participation. Given the nature of your business, you should give serious consideration to how your customers would react to your choice to share their information with the government. Planning ahead and being prepared to communicate with your customers is essential. Moreover, pay attention to practical considerations, such as updating your terms of use or privacy notifications depending on your decision whether you will participate in CISA. And, get legal and public relations advice on balancing the risk of sharing or not sharing information.
CISA adds yet another layer of complexity to protecting your business and customer data. There are no easy answers to balancing these concerns. But when it comes to cybersecurity, you already knew that.
Richard Coad (rcoad@whdlaw.com) is an attorney with Whyte Hirschboeck Dudek S.C. practicing litigation, white collar defense, and technology law.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.
