Generally speaking, the CISA is designed to help reduce the number of corporate data breaches by encouraging companies to share “cybersecurity risk” data with the Department of Homeland Security (“DHS”). Under the CISA, DHS would take any such provided information and pass it on to other law enforcement and security agencies, such as the FBI and NSA, respectively. The logical questions arise as to what cybersecurity risk information would trigger such a disclosure, what personally identifiable information (“PII”) is contained in such risk data, and how is that information being used. As with any sweeping legislative bill, there remain many questions. Many entities oppose the CISA, to include companies such as Apple and Twitter. Security experts have also questioned the real value of sharing information in fulfilling the Act’s legislative intent of stopping or stemming the tide of major security breaches in the U.S. And, as you might expect, numerous privacy advocacy organizations have formally opposed the bill. So, at a minimum, it is good to see there is a healthy debate about what security is really being achieved and, at what cost to privacy. In times past (see Patriot Act), such discussions were non-existent. So, going slowly here and considering all the consequences (intended and not so much) would be wise.
A Road Paved with Good Intentions. Indeed, as I have found in practice, there are times in which sharing information related to an identified security risk with law enforcement makes good sense. Benefits include gaining insight into a broader risk and implementing changes, not to mention meeting one of the myriad of state law requirements for consulting with law enforcement in the event of breach. Furthermore, there is no question that one company sharing cybersecurity risk information, or even information pertaining to a hack of its system, with other companies or law enforcement can benefit other companies (and their customers) by enabling them to hopefully avoid the same hack by implementing protections or filling similar gaps that it may have. The opposition’s concerns are not with the value gained by sharing credible threat information for the greater good. The concern lies in the details, specifically the lack of clear business controls and protections for PII in the process of sharing such information.
“Cybersecurity Risk.” I think the key word in all of this is the term, “cybersecurity risk.” As in almost every statute or contract, the definitions reign supreme. It is this risk that triggers the “voluntary” sharing (We will discuss “voluntary” later). The CISA states “cybersecurity risk” information gathered can be shared “notwithstanding any other provision of law.”[i]
From the CISA by way of Section 227 of the Homeland Security Act:
(1) the term ‘‘cybersecurity risk’’ means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of information or information systems, including such related consequences caused by an act of terrorism;
Which naturally begs a review of the definition of “information systems.” So, also from Section 227 of the Homeland Security Act by way of Section 3502(8) of Title 44, United States Code:
the term “information systems” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information;
Besides being so much fun to find, the terms are, if anything, broad and rather vague. By any reasonable interpretation, ANYTHING could be an “information system,” especially as the system definition is not limited to systems in which PII or other sensitive information (trade secrets, intellectual property) is processed. This leaves companies in the position to determine what is really a risk, regardless, of the personal information included. This can be a considerable burden for companies to manage, in addition to their standard business operations.
“No Privacy Concerns.” CISA supporters argue there are no privacy concerns because the law requires all PII to be removed before sharing with DHS. Well, that’s not entirely true, as the current version of the CISA is less privacy-centric than even the House’s version, the “Protecting Cyber Networks Act.” The House bill requires that companies not share information that they “reasonably believe” to contain information that is personally identifiable. CISA states that companies should not give up information they “know at the time of sharing” to contain PII or other sensitive information. This does not give privacy advocates a warm fuzzy, to be sure. Effectively, this removes any affirmative duty to scrutinize information before sharing it with the government. Accepting such an approach would undermine all the best practices of sound data governance. Or, at the very least, it sends a confusing message to businesses trying to do the right thing: “Sure, you should scrutinize all information that comes into and out of your company, to ensure PII is handled properly—except for when sharing it with the government.”
Hey, Man, Chill Out, It’s Voluntary. If companies still remain concerned about undermining privacy by complying with such a law, CISA supporters say companies don’t have to if they do not want to. They reiterate that corporate information sharing is “voluntary” under the CISA. Is it really? Technically, yes. There is no explicit legal obligation to share such information. But perhaps it is more “voluntary” in the same way it is voluntary to stay late into the holiday weekend because your boss is doing the same. Or, like my drill sergeants told me, “It is not mandatory, but it would BEHOOVE you to shine your boots tonight as to not risk failing to be ready in the morning should there be an emergency.”
While companies do not have to participate in the information sharing, there are pretty strong incentives to cooperate--incentives that benefit the company and not necessarily its customers. Indeed, similar to tax breaks to motivate charitable giving, the government provides legal incentives for companies to share such information by making them immune against any legal liability for any security failure if that information is shared directly to the Department of Homeland Security. So, even if a company actually violated a state or federal privacy law, it may still receive immunity if it provides “cybersecurity risk” information to the government under CISA. Surely this poses a conflict of interest for companies, does it not?
Slow Down. Easy There, Big Fella. When I give talks on privacy, I often pose the following question (in the style of the Jeopardy! game show):
Answer: Getting married, having a child, buying a gun, sending a Tweet and passing federal legislation.
Question: What are things that should never be done in a hurry?
I think that is always sound guidance and most certainly is with the CISA, or any consolidated version thereof that might find its way before the President. Perhaps the stew should cook a little longer, with both the regulators and the regulated having some more time to discuss exactly HOW this process is going to work, and how privacy work done by so many companies to protect customer information in the era of data breach can be balanced with the ongoing need to safeguard Americans and their way of life.
[i] That is a pretty broad exemption in the Act, by the way--one which seemingly puts security above privacy in all cases. Many senators reportedly proposed changes to better protect privacy, but all were voted down.