On April 10 the House Intelligence Committee will review H.R. 624, the Cyber Intelligence Sharing and Protection Act. The Committee approved an almost identical bill last year, and USACM released a statement expressing serious concerns with the bill.
While press reports indicate that several amendments will be up for consideration during tomorrow’s hearing, the text of those amendments has not been made available. As USACM’s concerns from last year have not changed, yesterday we sent a letter to the Chair and Ranking Member of the Intelligence Committee expressing our concerns with some of the language in the bill. We recommend that the bill provide more explicit guidance on minimizing the risk of disclosure of personally identifiable information (PII) or other sensitive business and/or personal information. Our other recommendations provide specific guidance for applying USACM privacy principles to the legislation.
Specific recommendations include indicating that:
- Shared data is to be used only for cybersecurity purposes specified in this act
- Shared data is to be kept for at most a limited time (e.g., 6 months) and deleted by all receiving parties thereafter
- Each receiving party must institute a process for periodic review of data received, and deleting data no longer necessary to support the purposes of this act
- When erroneous data is discovered, it should be deleted immediately, and any parties sharing that erroneous data must be notified of the errors within a short time (e.g., 10 days)
- All data shared under this act will include indications of its origin, the dates when it was shared with each party, and the date on which it will be deleted
- All data shared under this act will be de-identified whenever possible
- Use of received data for any criminal prosecution requires a supporting subpoena or warrant
- All data shared under this act will be protected against unauthorized or accidental disclosure, modification, or other access
Following the markup, the bill is expected to go to the full House later this month. Once the text of the amendments is made public we can assess how much this year’s CISPA has changed from last year’s bill.