CRS Reports & Analysis
Legal Sidebar
Senate Passes Cybersecurity Information Sharing Bill –
What’s Next?
10/28/2015
After several years of legislative debate on how to reconfigure the legal framework for the collection, sharing, and use
of cyber-threat information amongst the private sector and the government, on Tuesday October 27
th
, the Senate voted
74-21 to pass S. 754, the Cybersecurity Information Sharing Act of 2015 (CISA). CISA generally attempts to clarify
the often-murky legal landscape that impacts cybersecurity information sharing, as current efforts are governed by a
host of different laws, including tort, privacy, and antitrust laws, that proponents of CISA argue chill private entities’
willingness to share cyber-threat information with each other and the government. While the passage of CISA marks
the first time the upper chamber has passed a comprehensive bill respecting cybersecurity information, CISA now
heads to a joint-conference committee where negotiations will reportedly occur over how to reconcile the Senate bill
with two pieces of legislation – H.R. 1560 (Protecting Cyber Networks Act or PCNA) and H.R. 1731 (National
Cybersecurity Protection Advancement Act OR NCPAA) – that were passed by the House of Representatives in April
of this year.
So what are the major differences between the two House cybersecurity information bills and CISA? Here are five
areas where the three bills differ and may be the center of negotiations in conference.
Liability protections: As noted in this legal sidebar, recent cybersecurity information sharing legislation is not
just about clarifying the legal framework respecting the sharing of information; bills like CISA, PCNA, and
NCPAA are also concerned with encouraging the collection of cyber-threat indicators (CTIs) and the use of so-
called defensive measures (DMs) to help combat known cyber-threats. To help clarify the laws governing the
collection, sharing, and use of cybersecurity information, all three bills provide some civil and criminal immunity
for entities complying with the new laws respecting the collection or sharing of cybersecurity information. The
bills differ, however, with respect to the nature and scope of liability protections provided, including:
Good faith provisions: The two House bills contain a “good faith” provision that immunizes “good faith
failure[s] to act” based on the sharing or receipt of CTIs or DMs in accordance with the Act. CISA does
not contain a similar provision and merely immunizes causes of action based on the sharing or receipt of
CTIs or DMs.
Exceptions to liability protections: While all three bills would exempt from immunity protections “willful
misconduct” related to monitoring or information sharing, CISA also does not extend liability protections
to “grossly negligent” acts.
Evidentiary burdens: The two bills that passed the House place a burden on a plaintiff to prove by “clear
and convincing evidence” that a private entity engaged in willful misconduct. CISA does not contain a
similar provision.
Privacy and civil liberty concerns: One of the central issues in the debate over cybersecurity information
legislation is the extent to which private entities in collecting and sharing cyber-intelligence are risking the
unnecessary dissemination of personal identifying information (PII) with other private entities or the government.
While all three bills have several provisions aimed at alleviating privacy concerns (including authorizing the
creation of privacy “guidelines” with which the federal government must comply) , the bills vary in several
respects, including:
Removal of PII: Both of the House bills require private entities to take “reasonable efforts” to remove or
