CISPA Should Deter Reckless Information Handling By Government

CISPA creates a limited private right of action allowing individuals whose information has been improperly used or shared by a governmental entity to recover actual damages. But for an aggrieved party to prevail, it must show the governmental entity “intentio nally or willfully” violated the statute. Imposing such a high burden on potential plaintiffs will under-deter governmental agencies from negligently handling private information. Therefore, CISPA’s private right should also allow individuals to recover damages for grossly negligent violations by governmental entities.

CISPA Should Only Immunize Reasonable Cyber Threat Information Sharing

CISPA immunizes covered private firms that share “cyber threat information” for a “cybersecur ity purpose” with any other entity—private or governmental—fr om

all forms

of civil and criminal liability. This sweeping provision would go so far as to immunize a provider that shares information

unrelated

to a cyber threat, so long as that provider believe s in “good faith” that its actions accord with CISPA—even if the provider fails to take reasonable steps to verify prior to sharing information that it actually pertains to a cyber threat. CISPA should only immunize companies for sharing information when they have an objectively reasonable belief that it pertains to a cyber threat.

CISPA Should Bar Government From Coercing Firms To Share Information

Although CISPA’s “an ti-tasking” restrict ion bars the gover nment from conditio ning a private en tity’s access to cyb er threat information on that entity’s own willingness to share, the bill ignores an even greater threat of tasking: the federal government’s ability to leverage grants or procurement contracts to pressure companies to disclose cyber threat information. CISPA should contain an enforceable ban on such

quid pro quos

to deter potential abuse by federal agencies, some of which have historically leveraged the procurement process to strong-arm private entities into facilitating mass digital surveillance.

CISPA’s Definition Of ‘Cyber Threat Information’ Should Be Narrowed

CISPA’s definition of “cyber threat information” encompasses, among other things, “information directly pertaini ng to” threats involving efforts to “degrade” networks, “misappropriat[e ]” “private information,” or gain “unauthorize d access” to a system. This broad definition is not necessarily limite d to information that actually describes or identifies specific cyber attack threats. Especially problematic is the term “unauthorized access,” which in related contexts has been broadly construed to include violations of a website’s terms of service.

CISPA Should Provide For Meaningful Independent Oversight

While we recogn ize the pitfalls of defining “cyber threat information” too restrictively, CISPA’s definitions should be narrowed to focus on genuine cyber threats. CISPA calls for the Inspector General of the intelligence communit y to submit annual reports to Congress on the use of cyber threat information. But to ensure truly effective oversight, the independent Privacy and Civil Liberties Oversight Board—which has been inactive for years—should also be involved. CISPA should require Congress to appoint a roster of independent exper ts to the PCLOB, reallocate the trivial amount of funding needed for Board’s operations from elsewhere in the federal budget, and ensure that the Director of National Intelligence consults the Board in crafting CISPA procedures.

Conclusion

We applaud the C ommittee’s well-in tentioned efforts to enhance our nati on’s cyber defenses. If C ISPA is not revised to reflect our concerns, however, it may have serious unintended consequences for America’s vibrant technology sector—and for our constitutional rights. Therefore, we urge CISPA’s sponsors to consider these recommendatio ns before sending the bill to the House floor.

2

For instance, former Qwest CEO Joseph Nacchio alleged in a 2007 court filing that when Qwest refused to participate in an NSA surveillance program, the agency “retaliated by not awarding lucrative contracts to Qwest.” Ellen Nakashima & Dan Eggen,

Former CEO Says U.S. Punished Phone Firm

3

See

Orin Kerr,

Ninth Circuit Hands Down En Banc Decision in Unit ed States v. Nosal, Adop ting Narrow Interpretation of Computer Fraud and Abuse Act