Nov 12, 201512:58 PMLegal Login
with Mindi Giftos
What does the Cybersecurity Act mean for your business?
(page 1 of 2)
According to a 2013 study by the Center for Strategic and International Studies, cybercrime costs the United States an estimated $100 billion per year. Businesses and the government clearly have an interest in curbing those losses. On Oct. 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA, S. 754). While it still must be reconciled with the House version, and then signed into law by the president, the bill seems likely to be enacted into law sometime in early 2016.
So what exactly is CISA? The bill is built on the premise that both private businesses and the federal government have a mutually vested interest in security from cyberattacks and that, currently, information is insufficiently shared between public and private entities. Better sharing of information about new cyber intrusions could help better defend against future attacks, proponents of the law argue.
Thus, Title I of CISA includes provisions to encourage the sharing of information between private and public entities. On its face, the bill appears to be a two-way street. It allows the government, through procedures to be established by the Director of National Intelligence, the secretaries of Homeland Security and Defense, and the attorney general, among others, to share classified threat information with appropriately cleared individuals in the private sector. On the other side of the street, the bill empowers and authorizes the private sector to monitor or deploy “defensive measures” on their own systems for cybersecurity purposes or with a third party’s system, including the government’s. It also creates a framework for the private sector to voluntarily share information with the government through the Department of Homeland Security. This sharing of private sector customer data with the government is the crux of the bill. In short, private companies would be given new authority to monitor their users, and would be encouraged to share “cyber threat indicators” with the government.
If the prospect of your business interacting with the Director of National Intelligence and Department of Homeland Security makes the collar around your neck feel a bit tight, there are some provisions of the bill that may provide you with some comfort. CISA precludes the government from requiring any “entity to provide information” to the government or a third party, and explicitly states that no liability exists “for choosing not to engage in the voluntary activities authorized in this title.” In other words, participation is voluntary.