The Cybersecurity Information Sharing Act was introduced by Sen. Dianne Feinstein (D-California) in June 2014 following several high-profile cyber-attacks targeting major US corporations. It would purportedly protect user data from falling into the wrong hands. After debating the merits of the bill, it passed the Senate in a 74 to 21 vote.
The bill now goes to a conference committee between the House of Representatives, which previously passed its own version, and the Senate. If or when that is approved, the bill would head to President Barack Obama.
Under the bill, companies would have increased liability protection when collecting and sharing user person information that could potentially be related to security threats. The proposed legislation also makes it easier to share that data with government agencies and with each other.
This caused the concern of privacy advocates, leading to delays in the bill’s journey through Capitol Hill. Several amendments to address privacy concerns were added to the bill, but they were all voted down.
One of the defeated amendments was proposed by Sen. Ron Wyden (D-Oregon), a critic of the privacy violations that he says the bill would facilitate. The Wyden amendment would have inserted language to protect personally identifiable information by making companies remove it “to the extent feasible” because personal information doesn’t provide information about cyber threats. The default language in CISA gives companies leeway to only remove personally identifiable information if companies “know” that it is not directly related to a cybersecurity threat.
Wyden also criticized the fact that CISA’s information sharing is promoted as voluntary, even though it is only voluntary for companies ‒ not customers. Even if users sign privacy agreements with companies, the businesses can break those agreements and remain protected from legal recourse.
“[They say] that the most important feature of the legislation is that it’s voluntary. The fact is, it is voluntary for companies. It will be mandatory for their customers,” Wyden said about the bill earlier in October. “And the fact is the companies can participate without the knowledge and consent of their customers, and they are immune from customer oversight and lawsuits if they do so.”
Despite being supported by a wide variety of organizations across the political spectrum, the Wyden amendment failed with a vote 41 to 55.
The Heller amendment was put forth by Sen. Dean Heller (R-Nevada) in case the Wyden amendment failed. It had similar measures, and would put the onus on the Department of Homeland Security (DHS) to remove personally identifiable information that doesn’t look related to cyber-threats. The Chamber of Commerce expressed its support for the Heller amendment.
“This cure is worse than the problem. Privacy for Nevadans is non-negotiable,” Heller said of CISA on the Senate floor on Tuesday.
The Leahy amendment, introduced by Sen. Pat Leahy (D-Vermont), was offered to deal with the issue of CISA’s sweeping Freedom of Information Act (FOIA) exemptions. Even with the amendment, most information shared between the federal government and companies would already be protected from FOIA requests as it is considered proprietary information.
“The vast majority of the exemption is already protected from disclosure,” Leahy said before the amendment came to a vote on Tuesday. He added that new exemptions are unwarranted, and that they unnecessarily override state and local state laws.
“Those who believe in local control would agree with me. It knocks out hundreds of state and local laws.”
The Franken amendment was put forth by Sen. Al Franken (D-Minnesota) to narrow the bill’s definitions of “cybersecurity threat.” It would have limited that designation to actions that are “reasonably likely to” cause damage to the company’s network, as opposed to CISA’s default “may.” The provision would also limit an aspect of the definition of “cyber threat indicator” to include only information necessary to describe actual harm caused by an incident, not “potential harm,” as in the original bill.
The Franken amendment failed 35 to 60.
While the White House came out in support of the bill just last week, opposition remains staunch from tech industry leaders. Groups that have come out against CISA include tech giants such as Google, Apple and Yelp, as well policy advocacy organizations such as the Electronic Frontier Foundation, FreedomWorks and Center for Democracy and Technology.