One of the most important security-related pieces of legislation recently passed in Congress is the H.R. 1731: the National Cybersecurity Protection Advancement Act of 2015, also known simply as the Cybersecurity Act of 2015. The Act has widely been considered a “landmark cybersecurity information sharing legislation,” (Abascal, Archie, Crawford, et al., 2016) and “the most significant piece of federal cyber-related legislation enacted to date,” (Sullivan & Cromwell LLP, 2015, p. 1) because it is one of the first and strongest attempts to federalize cybersecurity in the broader interests of counterterrorism and national security. In fact, the Act specifies the role the Department of Homeland Security plays in coordinating information sharing efforts.
Most significantly, the Act requires that the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) interact with non-federal and private sector organizations for comprehensive information sharing. What this generally means for individuals and businesses is that we are now better equipped to cooperate with the federal government in terms of information sharing, such as divulging any information requested by the NCCIC. The Act does not mandate that any organization share data with the government. However, the Act does make it so that individuals and companies are protected from liability when information is shared. The Act includes specific liability and information privacy protection provisions to facilitate information sharing from the private sector. Without these provisions, the private sector would fear any repercussions that came from information sharing. Therefore, the Cybersecurity Act of 2015 offers an ideal balance between privacy protections and national security needs.
Initially the Act had “raised concerns among privacy advocates,” (Zakrzwski, 2015, p. 1). The reason for these concerns is that when organizations in either the public or private sector share information with the Department of Homeland Security, there is some potential for that information to contain your personal data. By including provisions related to the role the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer play in reviewing and assessing how the act has been implemented and any privacy-related consequences or concerns it has raised, the Act does offer a reasonable compromise that should appeal to most Americans. Moreover, the Act protects organizations from liability with the only exception being in cases involving “willful misconduct,”...
Another way the Act does protect Americans from infringements on privacy is that it holds the government liable “if an agency or department violates privacy and civil liberty guidelines and restrictions on the use of information required by the bill,” (Congressional Budget Office, 2015). For this reason, even the most sensitive of privacy watchdog groups have offered tacit, cautionary support for the Act (Zakrzewski, 2015). The American Civil Liberties Union (ACLU) even gave its “blessing” for the Act, “a rare occurrence for a cyber bill, (Bennett & Marcos, 2015, p. 1). Therefore, anyone concerned about how the Act impacts their own privacy should rest assured that their personal information is actually much better protected now than ever before.
Prior to this Act, government and private entities were vulnerable to cyberattacks, which could undermine counterterrorism efforts in general, and cause havoc to basic public infrastructure like transportation and communication networks and banking systems. Ancillary problems like identity theft can also occur when a private or government entity is under cyberattack. A series of serious attacks on Sony Entertainment, Anthem, Home Depot and JPMorgan Chase made it abundantly clear that greater coordination and information sharing was needed to protect Americans from cyberattacks (Bennett & Marcos, 2015). President Obama quickly responded with an executive order that led to preliminary drafts of the Cybersecurity Act, and Congress passed the Act practically unanimously with a 355-63 vote.
It may seem surprising to you that the ACLU and other civil liberties organizations would support an Act that “authorizes various entities, including outside the federal government, to monitor certain information systems and operate defensive measures for cybersecurity purposes,” (Sullivan & Cromwell LLP, 2015). After all, authorizing the government to “monitor certain information systems” sounds a lot like surveillance. The reason why the Act does not run roughshod over American civil liberties is that it builds in safeguards such as mandatory removal of personal information that is unrelated to the security threat. The Chief Privacy Officer continually monitors the collection, dissemination, and utilization of data and continually consults with civil liberties agencies (“H.R.1731 - National Cybersecurity Protection Advancement Act of 2015,” 2015). Furthermore, an amendment to the Act requires…
