The U.S. House of Representatives passed an amended version of the Cyber Intelligence Sharing and Protection Act (CISPA), with a 288-127 vote. The current version of CISPA (H.R. 624) would provide private-sector companies with protection from liability for sharing information on cyber-threats with federal government agencies. With the passage of this bill, the House attempts to resolve the problem of President Barack Obama’s Cybersecurity Executive Order not providing any liability protection to reporting companies. (Read our alert on President Obama’s Executive Order here.) The bill provides both criminal and civil immunity for corporations sharing information with government agencies, as long as they act “in good faith.” The amended version defines a lack of good faith as including “any act or omission taken with intent to injure, defraud or otherwise endanger any individual, government entity, private entity or utility.” It also requires the Director of National Intelligence to establish procedures to permit “elements of the intelligence community” to share cyber-threat information, including classified information, with U.S. companies and utilities.
CISPA expressly limits the federal government’s use of cyber-threat information to only cybersecurity purposes and for the investigation and prosecution of cybersecurity crimes (as well as the prevention of death or serious bodily injury to individuals and various threats against children), and specifically prohibits the government from searching cybersecurity information for any other purpose. The federal government also may not use sensitive personal information (defined to include a number of categories containing information that can be used to identify individuals, including tax returns, medical and educational records, firearms sales records, library circulation records and patron lists, and book sales records), except in accordance with established policies and procedures to protect the private and confidential nature of this information. The bill mandates that the Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, establish these policies and procedures.
While CISPA immunizes private-sector companies from liability, it also establishes a private right of action in federal court for actual or statutory damages for any person “adversely affected” by the government’s willful or intentional violation of the express restrictions on the protection, disclosure, and use of the shared information.
The recent amendments to the House version of CISPA were aimed at satisfying concerns about protection of individual privacy – including those expressed by President Barack Obama in a statement released prior to the bill’s passage. The President, however, has expressed grave concerns about this bill in its present form and has threatened to veto the bill because it does not require private-sector organizations sharing information “to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” and affords broad immunity to the sharing companies. The amended version now goes to the Senate for consideration.