Anti-Hacking Bill Aims to Protect Companies That Share Consumer Information

Written by: |
 
The Senate Intelligence Committee has advanced a bill that would protect companies from lawsuits should they share consumer information related to hacking attacks with the government or fellow businesses.
 
Privacy advocates have expressed concern that parts of the Cybersecurity Information Sharing Act (CISA) would grant the government unneeded access to consumer data, while the Obama administration contends that the sharing of information is necessary to respond to modern, sophisticated cyberattacks.
 
Senators Richard Burr and Dianne Feinstein authored the bill and say they will submit changes to appease privacy advocates, although no details have been given. Plans to attach CISA to a defense bill currently moving through the Senate were recently rejected.
 
Jane LeClair, chief operating officer of the National Cybersecurity Institute at Excelsior College, says that U.S. companies and government agencies cannot properly defend themselves without working together.
 
"Companies cannot fight cybercrime alone. Neither can government agencies," she says.
 
LeClair notes that the bill would allow companies to share important information without violating antitrust laws or being sued. According to a March 2015 Bloomberg article, companies have been hesitant to divulge the details of cyberattacks because of potential lawsuits.

Anti-Hacking Bill Aims to Protect Companies That Share Consumer Information

Specifics of the bill


The bill specifies that private companies will be protected from lawsuits if they accidentally provide consumer data while sharing the details of cyberattacks against them. This applies whether they share with the government or each other. The bill also states that the data must have identifying information "not directly related to a cybersecurity threat" removed before the government accesses it.
 
The Obama administration says that government agencies and private companies can benefit from keeping each other informed of cyberthreats. 
 
"It is a timeliness issue," LeClair says. "You've got to get that information out because you could prevent any number of breaches by sharing it."
 
The more these breaches occur, the more consumers can be at risk.
 
"These threats are putting small businesses out of business and endangering people's lives with identity theft," LeClair says.
 

Changing the breach landscape


For many companies, navigating the breach landscape can be a challenge, especially while they are still vulnerable to hackers. Consumers need to know if they are at risk, but immediately publicizing these attacks can draw the attention  of scam artists who may use the details of a hack to craft custom phishing messages and victimize even more consumers.
 
Most states have laws requiring breached companies to alert consumers within a reasonable amount of time, but businesses are not necessarily required to notify the government or their competitors. By giving businesses protection from potential mistakes or unforeseen consequences created in this process, more could stay informed of the type of attacks facing them, which could lead to better security practices.
 

Privacy concerns


However, privacy advocates have voiced concerns that the current draft of the bill may do more harm than good by exposing consumer information to an excessive number of government agencies. In order to properly analyze cyberthreats, the bill authorizes companies to share what it calls "cyberthreat indicators" without fear of prosecution.
 
These indicators include consumer data such as medical records, passwords, online activity, and financial records, as long as the information can be connected to some sort of cyberthreat, according to the Center for Democracy and Technology (CDT). The bill also allows this information to be used outside of cybersecurity investigations, including as evidence for charging consumers with a number of crimes.
 
The bill mandates that once this information is shared with the government, it immediately will also be shared with other agencies, including the National Security Agency (NSA). Consumers may be wary of having their data collected and shared this way, especially if the information has been exposed in the initial cyberattack. This bill would limit their ability to bring charges against the companies sharing their information, CDT says.
 
According to LeClair, however, it is ultimately about sharing information for the greater good. "In the long run, the benefits will be reaped by everybody," she says.
 
Still, these relationships may be slow to form. Companies need to be sure their vulnerabilities will not be further exposed by the government or their competitors. 
 
"There has to be a high level of trust that no one gets taken advantage of," LeClair says.
 
Many organizations hope that privacy amendments, particularly surrounding the widespread sharing of information with the government, will be added to the bill so that consumers can join in this trust as well.
 
Privacy advocates have expressed concern that parts of the Cybersecurity Information Sharing Act (CISA) would grant the government unneeded access to consumer data. $portalUtil.addPageDescription($seo-description.getData(), $request) $portalUtil.addPageKeywords($seo-keywords.getData(), $request)

Buy Now

Medical Identity Theft

Protect yourself from medical identity theft. Learn how to detect and prevent your personal...

After the Year of the Mega-Breach, Two New Trends in Information Security

With a 27 percent increase in data breaches from 2013 to 2014, it's clear that what the...

"I definitely feel like someone stole something from me...I felt very much violated."

Catalog and 1-800 orders quickly pile up when Pat's identity is stolen.

Local Shredding Events Help Communities Protect Against ID Theft

Over 50% id theft victims can connect their identity theft to something that was stolen from...

Common Questions

What is identity theft? How do criminals use your personal information against you? Find out here.