On October 27, 2015, the U.S. Senate passed S.754 – Cybersecurity Information Sharing Act of 2015 (“CISA”) by a vote of 74 to 21. CISA is intended to facilitate and encourage the sharing of Internet traffic information between and among companies and the federal government to prevent cyber attacks, by giving companies legal immunity from antitrust and privacy lawsuits. CISA comes in the wake of numerous recent, high-profile cyber attacks.
CISA is supported by the Department of Defense, the White House, the U.S. Chamber of Commerce and various financial industry groups. The Securities Industry and Financial Markets Association’s President and CEO Kenneth E. Bentsen Jr. stated, “The threat our economy faces from cyber attacks is real and information-sharing legislation will help the financial services industry to better protect our systems as well as the privacy of our customers.”
CISA, however, has come under attack by privacy and civil liberty organizations and technology companies who claim that CISA lacks appropriate privacy safeguards and does not do enough to limit the government’s use of users’ information. The Computer & Communications Industry Association, a technology industry trade group, stated, “[We] recognize the goal of seeking to develop a more robust system through which the government and private sector can readily share data about emerging threats. But such a system should not come at the expense of users’ privacy, need not be used for purposes unrelated to cybersecurity, and must not enable activities that might actively destabilize the infrastructure the bill aims to protect.”
CISA comes on the heels of two similar bills passed by the House of Representatives, H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 and H.R. 1560, the Protecting Cyber Networks Act. While CISA is similar to these pieces of legislation, a conference will be necessary to resolve differences between the House- and Senate-passed bills. Details on that conference, including who will be in attendance and whether the conference will be held on the House- or Senate-side, are not yet available but are expected to be resolved soon. One House aide reported that the conference would likely take place by the end of the year, saying, “We’re not expecting any fireworks or drama.” The Obama Administration has indicated support for the cybersecurity information sharing legislation, and President Obama is expected to sign the final bill.