The Cyber Intelligence Sharing and Protection Act (“CISPA”) is a pending legislative proposal aimed at protecting against cyber-threats and cyber-attacks. CISPA follows the much publicized and now effectively defunct legislative proposals Stop Online Piracy Act (“SOPA”) and the Protect IP Act (“PIPA”) as a means to combat online misconduct. On January 18, 2012, Internet megasites Wikipedia, Craigslist, Reddit, Mozilla, Linux and others voluntarily shut down their websites to protest the passage of SOPA and PIPA. Following these protests, SOPA and PIPA were indefinitely postponed. Although some critics see CISPA as a new SOPA/PIPA, CISPA has a somewhat different aim and has received much less protest from the online community.
While not required to do so, CISPA permits certain technology and manufacturing companies to share users’ personal information with the U.S. government, including information presently protected by privacy laws such as HIPAA (Health Insurance Portability and Accountability Act), VPPA (Video Privacy Protection Act) or FERPA (Family Education Rights and Privacy Act), without disclosing to the users that their information has been shared. Consequently, otherwise private information, including video rental records, book rentals, newspaper subscriptions, online reading or data protected by state consumer protection laws (like utility usage records) may freely be shared under CISPA despite existing privacy rules and sharing safeguards.
CISPA supporters state that the availability of this information will help the government identify cyber-threats and prevent cyber-attacks. Critics state that this is an unnecessary violation of privacy rights, accomplishing no more for the private sector than the currently enacted Wiretap Act and Electronic Communications Privacy Act and allowing the U.S. government unfettered access to private information for which it would otherwise require a warrant.
CISPA was passed by the U.S. House of Representatives by a vote of 248 to 168 on April 26, 2012. While by no means a foregone conclusion, pundits presently speculate that CISPA will not make it onto the Senate’s agenda. Two alternative bills generally aimed at the same measures, the Cybersecurity Act of 2012 (“CSA”) and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (“SECURE IT”), are likely to be taken up instead.
We will keep you informed of these and other developments as they progress.