The U.S. House and Senate have both passed versions of a cybersecurity bill that would enable companies to voluntarily share information on cyberattacks. The likelihood that some form of the measure will soon become law means employers need to consider whether or how they should participate.
The Senate passed the Cybersecurity Information Sharing Act on October 27. A similar bill passed the House earlier this year. Differences between the House and Senate versions will have to be reconciled before going to President Barack Obama for his expected signature.
Daniel Nelson, an attorney with Armstrong Teasdale in Denver, Colorado, and St. Louis, Missouri, reminds employers that the new bill is not final and is likely to change. Then later, assuming that some form of the bill is signed into law, regulations will be promulgated giving employers more details to consider. So Nelson says employers can’t rely too heavily on what they know at this point in the process.
The bill follows security breaches affecting high-profile companies that have spurred calls for legislation to combat cyberthreats. But Christine Mehfoud, an attorney with Spotts Fain in Richmond, Virginia, says the current bill likely isn’t enough.
“While employers have been anxiously awaiting guidance on best practices to preclude or deter a cybersecurity attack in exchange for immunity, this bill is not it,” Mehfoud says. Instead, the bill “simply encourages companies to voluntarily share information with the government and other companies in the event of a cyberthreat.”
Mehfoud says in exchange for sharing information, companies would receive immunity from antitrust and consumer privacy liabilities but not from enforcement for their own actions that may have led to a cyberthreat.
What employers should do
Nelson says that in planning their response to the likelihood of a new law, employers should begin discussions about whether they want to voluntarily share information. Then they need to look at what mechanisms they have in place and what kind of cybersecurity monitoring they can accomplish.
Some companies may decide to reevaluate their cybersecurity monitoring capabilities and possibly implement additional monitoring, Nelson says, adding that they need to be careful to document a legitimate cybersecurity purpose for monitoring. He advises employers to “keep their finger on the pulse as this moves through.”
Privacy is a key issue for employers to consider, Nelson says. “From an HR perspective, the one thing that really caught my eye is not so much the information-sharing feature of the bill but the monitoring section of the bill,” he says.
The Senate bill’s summary says the measure allows “private entities to monitor, and operate defensive measures to detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on: (1) their own information systems; and (2) with authorization and written consent, the information systems of other private or government entities.”
The bill also allows for the monitoring of information “that is stored on, processed by, or transiting such monitored systems.” Does that include employee e-mails, texts, and other information an employee might consider private? That’s an unanswered question, Nelson says.
The language in the Senate bill summary says the measure requires the federal government and “entities monitoring, operating, or sharing indicators or defensive measures” to use security controls to protect against unauthorized access or acquisitions and to “remove personal information of or identifying a specific person not directly related to a cybersecurity threat” before sharing.
The Senate bill’s language provides system owners liability protection as long as they haven’t “engaged in gross negligence or willful misconduct in the course of conducting activities” authorized by the bill. So from an employer’s perspective, the measure provides a layer of protection so long as its monitoring can be shown to be conducted for cybersecurity purposes, Nelson says.
Criticisms of the bill
Mehfoud points to what she sees as shortcomings of the measure, explaining that employers “have been anxiously awaiting a central reporting structure for cyberthreats to resolve the piecemeal existing federal and state reporting requirements.” She says the new bill doesn’t provide any required reporting structure or preempt state laws.
Also, many companies won’t participate, seeing no benefit in disclosing their shortcomings to the federal government even though the bill does provide immunity from privacy-related liabilities, Mehfoud says. Although the bill includes immunity on the privacy front, it also requires companies to remove any irrelevant personally identifiable information that may be contained in the cyberthreat information, she says. The bill also prohibits the government from using the cyberthreat information for reasons other than cybersecurity.
Mehfoud says the bill’s opponents seem to fall into two camps. Some argue that it won’t improve cybersecurity because it is outdated and not sophisticated enough to meet the current threat, and others claim it violates consumer privacy by allowing companies to turn over consumer information to the government without the consumer’s permission.
“As with most legislation coming out of Congress these days, the bill is not a comprehensive resolution, but it’s a start,” Mehfoud says.