Senators Rounds and Thune dealt a severe blow to consumer privacy when they helped to pass Cybersecurity Information Sharing Act (CISA) on Oct 27th 2015. From Senator Round’s press release,
The bipartisan cyber security bill we passed in the Senate today will help protect Americans from such cyber-attacks by allowing companies to share information about cyber-threats to prevent other businesses from falling victim to similar threats. It does so while protecting Americans’ private information from being shared and is 100 percent voluntary.
This statement, however, is very misleading. Sen. Rounds and other proponents assure us that our private information is protected, but that’s not the case. Here’s what we know about CISA and consumer privacy:
- CISA grant companies who share data with the government broad immunity from liabilities stemming from violations of privacy law. CISA spells out that information gathered can be shared “notwithstanding any other provision of law.” That means that any laws with respect to financial privacy, health privacy, and communications privacy are effectively null and void when it comes to sharing cybersecurity information with the government. If companies aren’t to share private information with the government, then these privacy law exemptions would not be needed.
- CISA includes the first new exception to the Freedom of Information Act in decades. This ensures that the American public can never see what information companies are sharing with the government.
- The definition of what can be shared with the government does not exclude private information.
- The requirement that companies strip personal or identifying information from data shared with the government only applies if the company knows about the presence of the information “at the time of sharing.” This creates a giant loop-hole that allows companies can send large amounts of data to the government that includes private information so long as the company doesn’t examine the data for private information first.
- The bill does not require that companies act in good faith and it does not provide a cause of action for companies whose sharing would qualify as willful misconduct. So companies can share vast amounts of private information with no consequence.
- Senators Rounds and Thune voted against a failed amendment that would have strengthened consumer privacy by requiring that companies remove any personal information that’s not necessary to describe the cyber-threat.
- Senators Rounds and Thune voted against a failed amendment that would have required federal agencies to remove private information if it wasn’t directly related to cyber-security.
- Senators Rounds and Thune voted against a failed amendment that would have eliminated the Freedom of Information Act exemption.
Companies already can and do share information about cyber-threats with one-another and the government, and they do so while protecting the privacy of their users. So why do we need CISA? Many cyber-security experts believe that CISA isn’t need and may actually harm cyber-security efforts. We’ll likely never know the true intentions of the bill since it was crafted in top secret sessions of the Senate Intelligence Committee. Sen. Wyden who sits on that committee, publicly called CISA a “surveillance bill by another name”. Regardless of its true nature, it’s clear that the this bill and the votes by Senators Rounds and Thune demonstrate a callous disregard for the privacy rights of South Dakotans.
Though CISA’s fate now seems certain, it must still go to conference to resolve differences from the House version of the bill. There’s still time to contact your representatives and urge them to vote NO on the final version.