Thursday, October 29, 2015

Senate passes Cybersecurity Information Sharing Act

By J. Preston Carter, J.D.

Cybersecurity legislation that has been years in the making and spanned several Congresses finally got a full Senate vote after months of bickering over whether to let members offer amendments. The Cybersecurity Information Sharing Act of 2015 (CISA) (S. 754), as amended, passed by a vote of 74-21 on Oct. 27, 2015. CISA would permit companies to voluntarily share the personal information of private citizens with the federal government if there is believed to be a cybersecurity threat.

Senate Majority Leader Mitch McConnell (R-Ky) told members that cybersecurity is a “complicated issue” while thanking the bill’s sponsors, Senate Intelligence Committee Chairman Richard Burr (R-NC) and committee Vice Chairman Sen. Dianne Feinstein (D-Cal) for their efforts at reaching a bipartisan deal. Chairman Burr said “now the work begins as we go to conference.” Senator Feinstein acknowledged the role of Sen. Thomas R. Carper (D-Del) in brokering a compromise on the Department of Homeland Security portal, while noting the bill was backed by the Obama administration.

Following passage, a number of senators and industry groups released statements, mostly in support of CISA.

Senators’ approval. Senator Mark Warner (D-Va), a member of the Senate Intelligence Committee, applauded Senate passage of CISA, which, he said, “will strengthen cybersecurity efforts by encouraging private companies to voluntarily share information while ensuring individual privacy and civil liberties.” Warner noted that the bipartisan legislation now needs to be merged with cybersecurity legislation that passed the House of Representatives before it heads to the President for signature.

Senator Lynn Westmoreland (R-Ga), Chairman of the House Permanent Select Committee on Intelligence’s Subcommittee on the NSA and Cybersecurity, said, “By improving the cyber-threat sharing capabilities between government and private companies, we can also improve the flow of timely, actionable information to protect our citizen’s sensitive information and prevent another devastating cyber­attack.

Senator Mike Rounds (R-SD) noted that a companion bill to S. 754 passed the House of Representatives earlier this year and that CISA is supported by President Obama. Rounds said the measure will help protect Americans from cyber attacks while protecting private information from being shared, and he added, it is “100 percent voluntary.”

Tester in opposition. Senator Jon Tester (D-Mont) voted against CISA, stating, "In a world where technology changes faster than our laws, we cannot and must not give corporations and the federal government unbridled authority for generations to come.” He said that CISA provides liability protections for the companies that provide personal information to the federal government but fails to provide adequate protections to the customers whose personal data is being shared.

Tester’s release stated that he supported multiple amendments to the bill that would have strengthened privacy protections and reduced the amount of personal information being shared with the government while identifying and combating cyber threats and potential threats. Unfortunately, he said, these amendments failed.

Industry response. The American Bankers Association applauded the passage of CISA with one reservation. The ABA believes CISA will help the financial industry work more effectively with the federal government and other sectors to better protect their customers from cyber threats. However, “a provision that would change the inherent voluntary nature and structure of CISA by allowing DHS to create cybersecurity standards for critical infrastructure that would have the practical impact of regulation is unnecessary and harmful.” The ABA said it looks forward to working with Congress to address this as the process moves forward.

The Financial Services Roundtable also applauded the passage with one reservation. It urged negotiators to “address problematic language contained in Section 407 of the Senate’s bill which would create duplicative regulatory oversight for financial service firms. The language also adds mandatory requirements that are inconsistent with the voluntary nature of the legislation.”



This story previously appeared in the Banking and Finance Law Daily.