The Senate recently passed the Cybersecurity Information Sharing Act of 2015 (S. 754) (CISA) to incentivize information sharing between and among private industry and the government about cyber threat indicators and defensive measures. Among other information sharing inducements, CISA establishes liability safeguards for companies that monitor information systems and share cyber threat information. Although CISA encourages companies to voluntarily share information about cyber threats with other companies and the government, it does not create any new mandatory sharing requirements.
CISA requires entities that monitor an information system or provide and receive information about cyber threats or defensive measures to establish unauthorized access security controls. CISA also requires that, prior to sharing information about cyber threats, companies must remove personal information (a term not defined in CISA) that is not directly related to the threat from the shared information. Privacy advocates remain concerned that the general requirement to remove personal information does not provide sufficient protection for individuals’ personal information.
Prior to its passage in the Senate, the proposed legislation was debated for an extended period to, among other things, consider the privacy concerns. The House of Representatives must now decide whether to reconcile CISA with legislation that the House passed in April 2015.