The U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754). In passing it had to consider a variety of issues before it regarding the amendments to CISA. The proposed amendments of CISA have one goal in common, to enhance privacy and strengthen the privacy.
One of the issues was to clarify the definition of what is a cyber security threat and what may indicate that there has been a threat. Another is to strengthen the protection of personal identifiable information (PII). When it comes to governmental sharing of information or the Freedom of Information Act disclosures that both aspect engender heightened PII protection and that the PII is extracted from what is shared or provided upon FOIA request.
Regarding the sharing of PII among federal agencies CISA addressed the extension of liability protection in monitoring information sharing and the disclosure breach. However, the liability protection will not apply to gross negligence and the protection will not limit common law and statutory defenses in handling PII.
Furthermore, there is the implementation of frequent reporting of best practices to be implemented on the handling of PII among federal agencies sharing information. In so far as cyber security threat is defined, events involving consumer terms of service or licensing agreements are excluded from the definition. Despite CISA passing in the Senate, its reconciliation with Title II, the “Federal Cybersecurity Enhancement Act,” and the Cyber Information Sharing and Protection Act (“CISPA”) remains.