Soon, the Senate will consider S. 754, the Cybersecurity Information Sharing Act (CISA). The bill aims to allow companies to defend their systems against cyber attack by facilitating better sharing “cyber threat indicators” (CTIs) among private companies and between companies and government agencies. Unfortunately, the bill defines this key term so broadly that it could include nearly any type of user behavior or communications, such as browsing history, email, or chat history. Thus, whatever the intentions of CISA’s sponsors, the bill could end up facilitating large-scale sharing of sensitive private user information with the government.
This concern is amplified by three other aspects of the bill: incentives to share, what’s shared, and how it’s used. The first two are closely related.
CISA creates a sweeping immunity for sharing information with the government — by barring any “cause of action” against private companies for sharing information with the government or each other. There’s something to be said for this approach, since current privacy law imposes statutory damages for sharing information. CISA includes two exceptions to this immunity: (1) “gross negligence or willful misconduct” and (2) preserving “any current or future contractual agreement, terms of service agreement, or other contractual relationship between any entities, or between any entity and a Federal entity.” Both are welcome changes compared to previous versions of the bill, but they’re not quite enough to resolve the difficult question of how to ensure that companies adequately scrub private information — without either setting such prescriptive requirements for information scrubbing or creating such open-ended liability that companies hesitate to share information when doing so really would enhance cybersecurity.
The bill does not maintain all common law causes of action, as we’ve previously argued it should. (A confusing provision in the immunity section refers only to common law defenses companies might invoke.) The bill doesn’t preserve common law tort remedies — and the statutory remedy it creates instead, for “gross negligence or willful misconduct” is probably too narrow.
The best answer would be to create liability for something closer to ordinary negligence in failing to scrub personal information. Companies may object that this will create too much uncertainty over information sharing, but of course, companies could protect themselves from such liability by writing its contracts with customers to specify more clearly how it will scrub personal information. But without this potential liability, companies simply have not have an incentive to address these issues in their contracts. If companies worry that ordinary negligence sets too low a bar, the right answer is probably to include some kind of harm requirement (not found in ordinary common law negligence), rather than raising the bar of negligence to “grossness” (something very hard to prove). That could allow private plaintiffs a remedy when they’re actually injured without unduly discouraging information sharing.
Simply put, we believe this issue should be left up to private ordering: tort should set the baseline incentives and contract should be the primary means for setting standards — not the kind of prescriptive regulation that has traditionally been used in federal privacy statutes.
Indeed, it’s not even clear how often companies should need to worry about potential liability — that is, whether CTIs would actually include personal information. A recent letter to Congress signed by 67 leading technologists made a strong case that the kinds of CTIs that would actually be useful for cybersecurity experts to defend systems from attack in real time simply would not need personally identifiable information (PII). Furthermore, companies should probably do some scrubbing anyway — not to protect privacy, but simply to avoid clogging up the mechanisms of information-sharing. As NSA Director Admiral Mike Rogers has said, sharing CTIs without scrubbing personal data would slow operations and negatively impact NSA’s cyber defense activities.
Finally, CISA allows law enforcement agencies far too much latitude in using sensitive personal information shared with them as part of a CTI. First, CISA specifically allows law enforcement agencies to use information shared with the government for investigations and prosecutions for a litany of offenses unrelated to cybersecurity — without a warrant. This would include arson, carjacking, and a series of offenses related to the possession or sale or firearms. Because CISA requires that information shared with one government agency be automatically forwarded to many other government agencies, it’s not hard to imagine CISA leading to a great increase in prosecutions.
Second, CISA doesn’t include any “suppression remedy” — language that would bar law enforcement from using evidence somehow obtained in violation of CISA. Without such a limitation, CISA could lead to law enforcement prosecuting a far wider range of crimes than those for which it specifically authorizes law enforcement to use CTIs as evidence.
Congress needs to address these concerns in further hearings and carefully consider them before moving forward on CISA. If the bill as written reaches President Obama’s desk, he should veto it.