Cybersecurity Information Sharing Act

In an effort to protect consumers and help companies defend against cyber-attacks, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA), encouraging business to share cyber-threat information with the federal government.

(Sec. 3) Requires the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the Department of Justice (DOJ) to develop and promulgate procedures to promote: (1) the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; (2) the sharing of unclassified indicators with the public; and (3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.

Essentially, the legislation encourages businesses to provide the federal government with information associated with a cyber-threat, which may include personal information. In turn, the government will provide those businesses with liability protection, shielding companies from lawsuits if they share certain types of data.

Critics suggest that the Act threatens consumer privacy, as hypothetically, companies could share personal information with the Department of Homeland Security (and in turn, the FBA and NSA). Other critics debate the actual impact the Act will have in preventing cyber-attacks. In a statement from the Electronic Frontier Foundation, “The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.”

Supporters indicate that the Act encourages companies to remove any personal information that is unrelated to the cyber-threat before sharing information, and that the government must do the same. Additionally, it restricts the government from using information gained to investigate or prosecute criminals for unrelated crimes.

An important takeaway here is that while the Act does provide some safeguards for businesses that choose to share information, it does not protect them from the implications of poor security management and failing to adequately protect their data. Law firms and businesses that undervalue the data they maintain and the effort needed to protect it, take a tremendous risk. A single attack could not only result in a loss of their data, productivity and revenue, but ultimately, their reputation. It’s no longer optional to have a cybersecurity plan.

Sources:

Leave a Comment