Even as the U.S. Senate passed the controversial Cybersecurity Information Sharing Act this week, privacy advocates were plotting how to limit the amount of customer information companies will be able to share.
And while the bill is almost certain to become law, these advocates say they still have some options.
“The fight over CISA is not over yet,” said Evan Greer, campaign director for digital-rights group Fight for the Future.
CISA protects companies sharing cyberthreat indicators with one another and with government agencies from customer lawsuits. Privacy groups say the bill takes only limited steps to prevent customer information from being shared with federal agencies.
The Senate’s 74-21 vote Tuesday to pass CISA is one of the last steps necessary before the bill becomes law. President Barack Obama has voiced support for the legislation, but before he signs it, CISA will go to an informal conference committee with members of the House of Representatives, which passed two similar bills earlier this year.
“[Tech companies] likely won’t be able to make clean promises about whether sensitive governmental entities, like the NSA, will be able to access personal information you share,” — Gabe Rottman, policy advisor for the American Civil Liberties Union
Privacy groups promised to continue to push for consumer protections during the conference process, but most weren’t optimistic about major changes happening there.
Instead, the best chance may come after the bill becomes law. CISA requires the Department of Justice to issue information-sharing guidelines within 180 days, and privacy groups will likely weigh in, said Greg Nojeim, a senior counsel at the Center for Democracy & Technology.
One year after the bill passes, government agencies collecting cyberthreat information will have to issue detailed reports about the program, including the number of times personal information was shared illegally and other violations of CISA, Nojeim noted.
CISA also authorizes the U.S. Privacy and Civil Liberties Oversight Board to review the information-sharing program. That group “has made it a point to, as part of its reviews, reveal to the public as much as is possible about sensitive programs,” Nojeim said.
Expect public pressure on companies sharing information, added Gabe Rottman, a policy advisor for the American Civil Liberties Union. Companies will now have to “look very carefully” at the sharing requirements when drafting privacy policies, he said.
Companies “likely won’t be able to make clean promises about whether sensitive governmental entities, like the NSA, will be able to access personal information you share,” Rottman added. “That may dissuade some companies from participating or create regulatory uncertainty.”
Lawmakers introduced similar legislation to CISA in 2011 and 2013, but those bills failed to pass, largely because of privacy concerns. But the continuing epidemic of large-scale data breaches, combined with support this time around from heavyweights like the U.S. Chamber of Commerce and from Obama, helped push CISA through the Senate, supporters said.
“Today, everyone understands what the problem is out there,” Sen. Dianne Feinstein, a California Democrat and CISA sponsor, said Tuesday.
“We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information.” — Sen. Richard Burr, (R-N.C.,) chief sponsor of CISA
CISA will improve privacy by protecting customer data from breaches, supporters argued.
The bill “better secures Americans private information from foreign hackers,” Sen. Richard Burr, a North Carolina Republican and chief sponsor of CISA, said in a statement. “We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information.”
Critics of the bill questioned whether it will have a major impact on cybersecurity. CISA is a “10 percent solution,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute.
“Ninety percent of attacks are preventable with good cyber hygiene,” she said. “People have the tools and knowledge to protect themselves and they just aren’t using it,” she said.