Congress recently passed the Cybersecurity Information Sharing Act of 2015 (CISA) as part of Division N of H.R. 2029, Public Law 114-113 the Consolidated Appropriations Act, 2016, (CAA). As previously reported, on October 27, 2015 the United States Senate passed a different version of CISA, S.754, which without requiring such information sharing, would create a system for federal, state and local agencies to receive threat information from private companies in real time and for the private sector to receive such information in addition and as necessary.
Both versions of the bill were not without controversy. As enacted, CISA is designed to increase information sharing on cyber risks between federal, state, and local governmental agencies, and also between governmental agencies and the private sector. It is a tool that can be used to prevent and mitigate a cyber-attack.
However, there are concerns about the lack of data privacy protections within CISA. Some have expressed concerns that the final version of the law actually offers fewer protections than S.754 (the Senate version which, as noted, has been superseded by H.R. 2029). Many of these concerns center around the lack of oversight relative to the use of any data collected and the lack of an effective mechanism to scrub personal data from any information shared between the public and private sectors.