The NCSL Blog


By Danielle Dean

The Senate last month showed strong support for the Cybersecurity Information Sharing Act (CISA), voting to pass the legislation 74-21.

Two similar cybersecurity information sharing bills also have passed in the House, leaving lawmakers with the task of reconciling their versions of the bills and passing a unified bill into law.

lock on keyboardCISA is an information sharing bill that allows for private companies as well as state and local governments to share data breach indicator information with the federal government.

It incentivizes entities to submit data breach indicators and permits private companies to monitor submissions placed by other private or government entities when they have written consent.

They can use data to operate programs that will detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on their own information systems.

Important State Limitations

States may use data breach information to prevent, investigate and prosecute violators specifically for cybersecurity purposes. The bill also specifies that any information shared with the state will be exempt from release under disclosure laws.

What the bill prohibits, however, is the use of cyber threat indicator or defensive measures shared with the state to regulate, including an enforcement action, the lawful activity of any entity.

CISA also limits how threat indicator information provided by outside entities to state governments can be used, pre-empting certain state laws on data security. The law also requires the federal government to share such information with states but with key limitations, such as when the federal government deems the sharing “appropriate” and after the government has time to review the information and remove any personal information or any reference to a person not directly related to a cybersecurity threat.

Privacy Concerns

Another key component of the bill is addressing the civil liberties and privacy concerns inherent in information sharing. In addressing this issue, the federal government is required to develop and promulgate procedures for the “timely” sharing of information to private entities, nonfederal government agencies or state, tribal or local governments as well as how to protect the privacy of individuals.

NCSL Policy

NCSL policies recognize the serious threats to information infrastructure and data management and believes all levels of government should work together as equal partners. The limitations on data use, pre-emption of state cybersecurity laws and the timeline for data sharing remain a concern. NCSL remains committed to finding solutions that engage state and local governments as critical stakeholders.

It is vital to collaborate with state and local governments in enforcement, especially because state attorneys general have an essential role in investigating incidents and pursuing legal action against law breakers. NCSL will continue to monitor the progress of the bill as it proceeds through the House.

Danielle Dean is a policy specialist for NCSL's Law, Criminal Justice and Public Safety committee.

Email Danielle.

Posted in: NCSL, Public Policy
Actions: E-mail | Permalink |

Subscribe to the NCSL Blog

Click on the RSS feed at left to add the NCSL Blog to your favorite RSS reader. 

About the NCSL Blog

This blog offers updates on the National Conference of State Legislatures' research and training, the latest on federalism and the state legislative institution, and posts about state legislators and legislative staff. The blog is edited by NCSL staff and written primarily by NCSL's experts on public policy and the state legislative institution.