The House has approved the Cyber Intelligence Sharing and Protection Act (CISPA, H.R. 624). CISPA allows private companies and the federal government to exchange information relating to cybersecurity threats.
The bill was passed in the face of some concerns that it might provide private consumer information to the government. According to Reuters, President Obama has threatened to veto the bill on the basis that it supposedly does not mandate that companies take the greatest efforts to remove personal information before providing it to the government.
CISPA specifically states that it would amend the National Security Act of 1947 by adding a new section titled “Cyber Threat Intelligence and Information Sharing.”
That section provides that the Director of National Intelligence is to establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private entities and utilities.
As such, classified cyber threat intelligence may only be shared by an element of the intelligence community with a certified entity, a person with appropriate security clearance, and shared consistent with the need to protect the national security of the United States.
Cyber threat information is to be shared only pursuant to restrictions placed on the information by the protected entity authorizing such sharing, and may not be used to gain any unfair competitive advantage to the detriment of a protected entity authorizing the information-sharing.
Information shared is to be exempt from disclosure under the Freedom of Information Act. Furthermore, there is to be no civil or criminal liability based on a protected entity sharing cyber threat information in good faith.
Shared cyber threat information may be used by the federal government for cybersecurity purposes, for the investigation and prosecution of cybersecurity crimes, for the protection of individuals from danger of death or serious bodily harm, and for the protection of minors from child pornography, sexual exploitation and physical safety.
CISPA also provides that the Director of National Intelligence shall establish policies and procedures that, among other things, “minimize the impact on privacy and civil liberties” and “protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable.”
The devil always is in the details. And while the bill likely is positively motivated and calls for policies and procedures to be created protect privacy, civil liberties and confidentiality, it very well may be that such policies and procedures will need to be specifically outlined in advance before this type of legislation actually can become law.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP, where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod’s columns, please email him at firstname.lastname@example.org with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.