Episode III: Revenge of the CISPA

Today, Dutch Ruppersberger (D-MD) re-introduced the Cyber Information Sharing and Protection Act (“CISPA”), a bill that has passed the House of Representatives twice previously, both in 2011 and 2013, and subsequently also twice faced a veto threat from the Administration. The bill was never considered in the Senate.

Mike Rogers, a former Representative from Michigan, was the previous sponsor of the bill, which had an uncertain future following his 2013 retirement from Congress. However, Representative Ruppersberger, a primary co-sponsor of both prior versions of the bill, has now taken up the mantle of this harmful legislation.

The re-introduction of CISPA comes in the immediate wake of the re-introduction of the Secure Data Act by Senator Ron Wyden. The Secure Data Act was first introduced late last year, with an identical bill sponsored by Congresswoman Zoe Lofgren in the House of Representatives.

The Secure Data Act is designed to increase digital security by prohibiting the insertion of government-mandated backdoors in products and services. By contrast, CISPA is primarily targeted at increasing the transfer of data between the public and private sectors with the ostensible purpose of preventing cyber attacks. However, the law puts few limits on the transfer of personal user information that can be collected from private companies by the U.S. government all while creating broad liability protections for doing so. Additionally, the bill puts the National Security Agency in charge of the regime, bypassing more transparent domestic government agencies in favor of the secret military organization infamous for its robust surveillance programs. In short, this is a bill that hurts users by creating a new surveillance regime and doing little to actually increase in data security.

In threatening a veto of the 2013 version of CISPA, the Administration explained:

“The Administration…remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately.”

Access, joined by a coalition of 30 companies and organizations, sent a letter in response to the introduction of a similar bill in 2013 (the Cybersecurity Information Sharing Act), calling on Congress to introduce and pass meaningful cybersecurity legislation, including incentivising improvements to digital security, fostering greater international dialogue of cyber red lines, and empowerment of a civilian agency to conduct information assurance functions.

We once again urge Congress to reject CISPA. Instead, Congress should pass the Secure Data Act. Unlike CIPSA, it would actually protect user privacy and increase data security.