CISA Boom Bah ...
Sorry, I just couldn't resist the title which does not reflect my true feelings about CISA, the Cybersecurity Information Sharing Act of 2014. Approved earlier this month by the Senate Intelligence Committee, this bill awaits Senate floor action. In the current environment, I think its legislative prospects are modest (though perhaps we might see it combined with the NSA reform bill -- which would be a hoot). Nevertheless, it is worth summarizing some of the high points of the legislation since it reflects, I am told, the product of significant back and forth with the Administration and within the Committee. Here are some of the highlights:
First, CISA appears to have relatively strong liability protections. Section 6(a) provides that no cause of action shall lie against a private entities for the monitoring of information systems and information conducted in accordance with the bill. Section 6(b), likewise defines away a cause of action when private entities share cybersecurity threat and vulnerability information as allowed. Finally, subsection 6(c) provides that good faith is a "complete defense" if a cause of action is not dismissed or precluded by subsections (a) and (b). The protection is not complete, as subsection (d) allows a cause of action for "gross negligence" or "willful misconduct." Some will see this last caveat as an invitation to creative pleading, but with the more stringent pleading requirements currently in vogue in Federal litigation, a fair assessment is that this liability provision is quite robust.
Second, on the question of how broadly information may be shared, CISA leans a little toward a broader sharing model than some privacy advocates will want to see but one that, in my view, still makes some unusual choices. Section 5 (d) first sets out the broad limitation -- that cyber threat information may only be shared for cybersecurity purposes. It then, however, caveats that limitation by carving out some exceptions. It allows sharing for "the purpose of responding to, or otherwise preventing or mitigating, an imminent threat of death or serious bodily harm," for investigating child pornography and exploitation; for prosecuting identity theft and espionage; and for prosecuting the theft of trade secrets. There is some logic to most of these -- they are, in some sense, uniquely enabled by cyber means. But I suspect that it is in the end a mistake to try and draw fine lines like this. I can imagine any number of edge cases and plenty of litigation opportunities that this contrived language will create.
Finally, CISA adopts the "hub and spoke" method of disseminating information, establishing a "portal" managed by the DHS through which information can be shared. I continue to think this is needlessly bureaucratic and will slow efforts without any real value add -- but apparently it is a political necessity.