On Tuesday, June 17, Sen. Dianne Feinstein released a discussion draft of the Cybersecurity Information Sharing Act, which is a bill drafted by Senators Feinstein and Chambliss through the Senate Intelligence Committee.
This bill is part of an ongoing effort to address the growing threat to national and economic security from cyber intrusions and attacks. According to a statement released by Senator Feinstein’s office, the bill incentivizes the sharing of cybersecurity threat information between the private sector and the government and among private sector entities. In particular, the bill:
- Removes legal barriers for companies to share, receive and use cyber threat information and defensive measures on a purely voluntary basis.
- Provides liability protection for the sharing of cyber information for cybersecurity purposes.
- Provides privacy protections by:
(a) requiring companies to remove personally identifying information from cyber threat information before sharing;
(b) requiring the attorney general to write procedures to limit the government’s use of cyber information “to appropriate cyber protections” and to ensure privacy protections are in place;
(c) mandating that information shared with the federal government through real-time information sharing or other electronic methods be provided to the Department of Homeland Security in order to receive liability protection;
(d) requiring reports by the Privacy and Civil Liberties Oversight Board, relevant federal inspectors general, and by agency heads on the use of authorities and protections under the bill.
- Authorizes and provides liability protection for companies to monitor their networks.
- Directs the federal government to share information with the private sector at both classified and unclassified levels.
It will be interesting to see if Congress will pass this bill with just over seven weeks left in its current session. What’s become clear is there is a growing trend requiring businesses to be more proactive in addressing threats to their cyber security. Of course, privacy concerns abound where companies would receive liability protections from data sharing given the fear over abuses relating to consumer data both by the private and public sectors.