On Tuesday, the United States Senate passed S. 754 – the Cybersecurity Information Sharing Act (“CISA”). CISA’s goal is to facilitate and improve sharing about cybersecurity threats between private business and the federal government. While CISA will likely undergo some changes and still has some steps to overcome before it becomes law, Senate passage was a major hurdle. Bills similar to CISA have been pending before Congress since 2012 without success.
Under CISA, the federal government would set guidelines and procedures for receiving cyberthreat information from businesses and sharing cyberthreat information with businesses. The Department of Homeland Security would create a preferred process for businesses to use when sharing cyberthreat information.
Businesses would be given legal protections from anti-trust, trade secret, and some civil suits for cyberthreat information they share under the statute. Businesses and government entities would be required to remove unnecessary personal information before sharing it. Businesses would also be given immunity from suit to monitor their computer networks for cybersecurity purposes, and be authorized to deploy defensive measures.
CISA will now go to conference committee to be reconciled with HR 1560, which is a combination of two similar bills passed by the House of Representatives in April. A single form of the legislation will be agreed upon. Once passed, the resulting bill is expected to be signed by President Obama consistent with the directives he announced at the Cybersecurity Summit at Stanford University on February 13, 2015, at which time he signed Executive Order No. 13691 entitled Promoting Privacy Sector Cybersecurity Information Sharing.