By Danielle Dean
The Senate last month showed strong support for the Cybersecurity Information Sharing Act (CISA), voting to pass the legislation 74-21.
Two similar cybersecurity information sharing bills also have passed in the House, leaving lawmakers with the task of reconciling their versions of the bills and passing a unified bill into law.
CISA is an information sharing bill that allows for private companies as well as state and local governments to share data breach indicator information with the federal government.
It incentivizes entities to submit data breach indicators and permits private companies to monitor submissions placed by other private or government entities when they have written consent.
They can use data to operate programs that will detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on their own information systems.
Important State Limitations
States may use data breach information to prevent, investigate and prosecute violators specifically for cybersecurity purposes. The bill also specifies that any information shared with the state will be exempt from release under disclosure laws.
What the bill prohibits, however, is the use of cyber threat indicator or defensive measures shared with the state to regulate, including an enforcement action, the lawful activity of any entity.
CISA also limits how threat indicator information provided by outside entities to state governments can be used, pre-empting certain state laws on data security. The law also requires the federal government to share such information with states but with key limitations, such as when the federal government deems the sharing “appropriate” and after the government has time to review the information and remove any personal information or any reference to a person not directly related to a cybersecurity threat.
Another key component of the bill is addressing the civil liberties and privacy concerns inherent in information sharing. In addressing this issue, the federal government is required to develop and promulgate procedures for the “timely” sharing of information to private entities, nonfederal government agencies or state, tribal or local governments as well as how to protect the privacy of individuals.
NCSL policies recognize the serious threats to information infrastructure and data management and believes all levels of government should work together as equal partners. The limitations on data use, pre-emption of state cybersecurity laws and the timeline for data sharing remain a concern. NCSL remains committed to finding solutions that engage state and local governments as critical stakeholders.
It is vital to collaborate with state and local governments in enforcement, especially because state attorneys general have an essential role in investigating incidents and pursuing legal action against law breakers. NCSL will continue to monitor the progress of the bill as it proceeds through the House.
Danielle Dean is a policy specialist for NCSL's Law, Criminal Justice and Public Safety committee.