CISPA Moves Forward

The latest version of the Cyber Intelligence Sharing and Protection Act was adopted by the House Intelligence committee and now moves to the House floor for a vote. Ironically, the House Intelligence committee discussed and voted on CISPA – a bill that could significantly diminish citizen privacy protections – in private.

What’s more interesting are the privacy protection amendments that were left out of the recently adopted bill. Two of the left-out amendments touch on issues we’ve seen in other privacy laws: liability for private entities that use information to discriminate and obligating particular entities to de-identify certain data.

I find it interesting that these two safeguards were overwhelmingly defeated. As a bill that is already contentious for its potential to undermine the current privacy law framework regarding personal information in cyberspace, I would think basic protections against unnecessary identification and unauthorized discrimination would be appropriate to include. Additionally, in considering other laws like the Fair Credit Reporting Act and Genetic Information Nondiscrimination Act where similar discrimination and identification concerns are addressed, it would seem that these familiar safeguards would be welcomed. Interesting arguments have also been made about how personally identifiable information would not even aid the purpose of CISPA. Also, it seems quite clear that any information obtained through CISPA’s information sharing regime would be inappropriate to use for anything beyond threat identification. That said, not including a robust non-discrimination provision seems insufficient.

The reluctance toward including these two amendments likely stems from the burden of compliance and the difficulty of enforcement. De-identifying data would no doubt be costly and burdensome.  Non-discrimination violations are difficult to establish because the burden of proof inevitably lies with the aggrieved individual trying to establish how the alleged wrong stemmed from unauthorized access/use. Despite these reasonable justifications for excluding such provisions, I would think CISPA needed some extra juice so as not to suffer the same defeat in the Senate that it did last year.  No doubt Pres. Obama’s executive order addressing cyber security will also influence how the legislature deals with CISPA. The next few months seem likely to provide some interesting developments regarding the government’s access to personal information that is communicated to private entities.