CISPA Limits Incentives for Corporate Responsibly

The U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, last week and the bill is set to be taken up by the Senate quickly.  

While there is across-the-board agreement on the need to update the nation’s cybersecurity laws, CISPA contains broad provisions that eliminate the ability of harmed individuals and business to hold corporations accountable that have acted recklessly or negligently after receiving cyber threat information. 

The legislation bars any access to justice even when corporations fail to act despite knowledge of a potential threat.  In effect, the legislation removes incentives for industry to act responsibly when they learn of cyber threat information.  

For example, if a telecommunications company becomes aware of a cyber threat directed at a utility company but fails to notify that utility company, CISPA would let the telecommunications firm escape legal responsibility if a catastrophic attack occurred. 

The purpose of CISPA is to allow the sharing of classified information which is currently prohibited. But this bill goes far beyond any reasonable legal protection one would need to encourage the sharing of classified threat information.  These broad protections are unnecessary and troubling.  The bill's exemption from accountability should be narrowed to exclude protection for such decisions.

The President issued a Statement of Administration Policy on April 16, 2013 on CISPA highlighting this concern.   

“The Administration agrees with the need to clarify the application of existing laws to remove legal barriers to the private sector sharing appropriate, well-defined, cybersecurity information. Further, the Administration supports incentivizing industry to share appropriate cybersecurity information by providing the private sector with targeted liability protections.  However, the administration is concerned about the broad scope of liability limitations in H.R. 624.”