By Ariel H. Brio and Timothy R. McTaggart
Financial institutions are attractive targets for cyber attacks due to their collection of private customer and economic information. In order to help the private sector respond more effectively to cyber attacks, President Obama signed the Cyber Information Sharing Act (CISA or the Act) into law at the end of 2015.
CISA provides for the creation of a threat and defense sharing mechanism between private and public entities for the purpose of cybersecurity. Through this mechanism, knowledge of security risks and countermeasures can be distributed to any individual or organization that voluntarily opts into the program. In addition to the sharing mechanism, CISA offers liability protection in order to incentivize private entities to participate. A private lawsuit against an entity sharing under CISA likely should be dismissed as long as the entity complies with CISA’s sharing requirements and procedures. Also, regulators, including the Federal Trade Commission, are prohibited from initiating any enforcement action for CISA sharing violations, but the CISA sharing protocol does not immunize entities from enforcement actions for any other non-CISA related alleged violation.While CISA can be a new tool for financial institutions to combat cyber threats, banks must still comply with existing privacy requirements mandated by governing state and federal statutes.
Financial institutions are subject to specific privacy regulations under the Financial Services Modernization Act of 1999 (known as the Gramm-Leach Bliley Act or GLBA). Under GLBA, banks, which must develop privacy programs, have an obligation to safeguard customer data. In order for a financial institution to comply with GLBA while also taking part in CISA, a bank must develop a careful and transparent privacy program with the personnel, technical means, and oversight to maintain it. With some additional work, financial institutions can modify existing privacy and safeguard programs to comport with CISA while taking advantage of the additional information the sharing mechanism provides.
CISA requires private entities to remove information that is neither a cyber threat indicator (information directly related and necessary to identify or describe a cybersecurity threat) nor a defensive measure (information that can be used to detect and counter a cybersecurity threat) prior to sharing. The CISA sharing procedures anticipate that shared information will exclude personal data, but the burden on scrubbing personal information is on the sharing party. Therefore, the bank will need to remove any personal information prior to sharing. Notably, procedures promulgated under CISA define protected information more broadly than GLBA’s narrow personally identifiable financial information, encompassing any data that is considered private by other privacy standards. This broader definition would require a more expansive removal program than a privacy program necessary under GLBA, especially for shared non-customer information.
Since most parties will use technical means to scrub personal information, privacy managers must develop specific instructions for the types of data that must be removed. Qualified personnel, who can catch errors in the removal system, must oversee the technical means. Since GLBA requires banks to furnish customers with privacy notices, it is crucial that the removal of personal information, prior to sharing under CISA, is precise. A breach of the privacy notice, even in preparation for CISA, could trigger an enforcement action for deceptive practices under GLBA.
GLBA requires financial institutions to allow customers to opt-out from sharing personal identifying information. Further, GLBA requires notice and opt-out opportunity to customers when the bank shares data with an unrelated third party. If a financial institution chooses to share information as part of CISA, it will need to include such possible shared information in its notice to customers and provide them with an opportunity to opt-out. Because these mechanisms put participation control in the hands of customers, it may very well be that banks will have less personal information to remove prior to sharing under CISA. This also means that while CISA can be part of a bank’s data protection program, it is not, on its own, a sufficient capability per the GLBA safeguard requirement. Financial institutions will need to continue to maintain a capability to identify and assess risks to customer information outside of those shared under the CISA program.