Anti-Hacking Bill Aims to Protect Companies That Share Consumer Information
Written by: Dustin Pellegrini | Thu, 01 Oct 2015 20:51:12 +0000
The Senate Intelligence Committee has advanced a bill that would protect companies from lawsuits should they share consumer information related to hacking attacks with the government or fellow businesses.
Privacy advocates have expressed concern that parts of the Cybersecurity Information Sharing Act (CISA) would grant the government unneeded access to consumer data, while the Obama administration contends that the sharing of information is necessary to respond to modern, sophisticated cyberattacks.
Senators Richard Burr and Dianne Feinstein authored the bill and say they will submit changes to appease privacy advocates, although no details have been given. Plans to attach CISA to a defense bill currently moving through the Senate were recently rejected.
Jane LeClair, chief operating officer of the National Cybersecurity Institute at Excelsior College, says that U.S. companies and government agencies cannot properly defend themselves without working together.
"Companies cannot fight cybercrime alone. Neither can government agencies," she says.
LeClair notes that the bill would allow companies to share important information without violating antitrust laws or being sued. According to a March 2015 Bloomberg article, companies have been hesitant to divulge the details of cyberattacks because of potential lawsuits.
Specifics of the bill
The bill specifies that private companies will be protected from lawsuits if they accidentally provide consumer data while sharing the details of cyberattacks against them. This applies whether they share with the government or each other. The bill also states that the data must have identifying information "not directly related to a cybersecurity threat" removed before the government accesses it.
The Obama administration says that government agencies and private companies can benefit from keeping each other informed of cyberthreats.
"It is a timeliness issue," LeClair says. "You've got to get that information out because you could prevent any number of breaches by sharing it."
The more these breaches occur, the more consumers can be at risk.
"These threats are putting small businesses out of business and endangering people's lives with identity theft," LeClair says.
Changing the breach landscape
For many companies, navigating the breach landscape can be a challenge, especially while they are still vulnerable to hackers. Consumers need to know if they are at risk, but immediately publicizing these attacks can draw the attention of scam artists who may use the details of a hack to craft custom phishing messages and victimize even more consumers.
Most states have laws requiring breached companies to alert consumers within a reasonable amount of time, but businesses are not necessarily required to notify the government or their competitors. By giving businesses protection from potential mistakes or unforeseen consequences created in this process, more could stay informed of the type of attacks facing them, which could lead to better security practices.
However, privacy advocates have voiced concerns that the current draft of the bill may do more harm than good by exposing consumer information to an excessive number of government agencies. In order to properly analyze cyberthreats, the bill authorizes companies to share what it calls "cyberthreat indicators" without fear of prosecution.
These indicators include consumer data such as medical records, passwords, online activity, and financial records, as long as the information can be connected to some sort of cyberthreat, according to the Center for Democracy and Technology (CDT). The bill also allows this information to be used outside of cybersecurity investigations, including as evidence for charging consumers with a number of crimes.
The bill mandates that once this information is shared with the government, it immediately will also be shared with other agencies, including the National Security Agency (NSA). Consumers may be wary of having their data collected and shared this way, especially if the information has been exposed in the initial cyberattack. This bill would limit their ability to bring charges against the companies sharing their information, CDT says.
According to LeClair, however, it is ultimately about sharing information for the greater good. "In the long run, the benefits will be reaped by everybody," she says.
Still, these relationships may be slow to form. Companies need to be sure their vulnerabilities will not be further exposed by the government or their competitors.
"There has to be a high level of trust that no one gets taken advantage of," LeClair says.
Many organizations hope that privacy amendments, particularly surrounding the widespread sharing of information with the government, will be added to the bill so that consumers can join in this trust as well.