Controversial Cyber Security Bill Passes Senate- What About Privacy?
Last month, the U.S. Senate passed a version of the Cybersecurity Information Sharing Act (CISA), a bill that encourages companies to share information about cyber attacks and data breaches with the federal government. The bill includes the most sweeping cyber security regulations ever put forth by the U.S. government, and it’s not without controversy. While supporters argue that the bill could help both businesses and the government minimize the impacts of cyber attacks, a number of consumer interest groups and tech companies remain critical of it.
Sharing Information and Reducing Liability
The proponents of CISA contend that information sharing is vital to cyber security. By encouraging companies to share information about cyber attacks, data breaches and other cyber threats with the Department of Homeland Security (DHS), they argue that both governmental agencies and companies will be alerted to vulnerabilities earlier, and, hopefully, can then devise solutions to mitigate the damage of a cyber attack.
Moreover, as a way of encouraging companies to share information, the bill includes provisions that would limit the liability of companies in handing over potentially sensitive information. That provision does come with some caveats, and it requires companies to make good-faith efforts to anonymize sensitive personal information that may be attached to the data before sending it to DHS.
Consumer Privacy and Gray Areas
Privacy is the biggest concern for the bill’s critics. Many say that the language in the bill is so vague that it gives companies carte blanche to hand over virtually all private customer data. That concern has even extended to a number of tech companies, like Apple and Dropbox, who have publicly opposed the bill, in part fearing customer backlash against companies that agree to hand over customer data to the federal government
Others are concerned that the language is vague about just how far liability protections extend. For instance, if a company recognizes a vulnerability and reports it—but does nothing to correct the vulnerability—it’s unclear whether or not the proposed law would leave that company liable in the event of a data breach.
Before becoming a law, Congress will have to resolve the Senate version with the House version of the bill. Rest assured that as the law and your liabilities change, your trusted advisors at Waldorf Risk Solutions, LLC will keep you up to date.