The Cyber Information Sharing Act (CISA), which finally became law in December and encourages reciprocal sharing of cybersecurity data breach and cyber threat information between the federal government and the private sector, will soon enter its next stage of implementation. But, a recent review by the Department of Homeland Security reveals that there may be some inadequacies when it comes to protecting personal information.
According to the report, there is a “residual privacy risk that these processes may not always identify and remove unrelated [personal information], thereby disseminating more [personal information] than is directly related to the cybersecurity threat.” Additionally, although liability relief should make companies more comfortable with sharing technical information, opponents to the law worry that the government is not the best entity to hold such valuable and confidential information, especially after the breach of the Office of Personnel Management in June 2015. If not all personal information can be removed from the law’s Automated Indicated Sharing program, privacy activists and businesses alike worry where this valuable information could end up.