During a House Homeland Security Committee hearing earlier this month, Rep. Andrew Garbarino (R-NY) addressed privacy concerns in the CISA Act of 2015.
00:05I now recognize myself for my second five minutes of questions.
00:09When the original CISA 2015 law was negotiated, significant privacy concerns were raised.
00:15As far as I'm aware, these concerns did not come to fruition.
00:19Ms. Rinaldo, you were there.
00:22Would you please walk us through the initial debates and how they were resolved, dealing with privacy?
00:27Absolutely.
00:27So during the four years, we had three different bills that were introduced.
00:33And from the first bill, which was a couple of pages, to the one that was signed into law, which was much, much bigger,
00:39we took a lot of the feedback from privacy industry, privacy groups and industry.
00:45John was instrumental in a lot of this work that we did.
00:48And we made changes.
00:50The information has to be anonymized.
00:51You know, we want to make sure that what is actually being shared is the zeros and ones of it.
00:59And I know that the inspector general has done a report recently and has determined that no privacy issues have been, have arisen in the past 10 years.
01:09So the language and all the protections that we put in have been working.
01:12That's great, because I'll tell you, other than the name, privacy concerns might be the biggest obstacle to getting this reauthorized.
01:22So the fact that you haven't, that report has zero reports of privacy breaches is great.
01:30Mr. Miller, you were also instrumental, as we all just heard Ms. Rinaldo say.
01:35Have you heard of any privacy-related concerns over the last 10 years the law has been in effect?
01:41No.
01:42You know, and I think that's pretty compelling evidence that the bill itself and the structure and the protections that were put in place to protect privacy and civil liberties worked.
01:54You know, if I could add one other protection that I think was very important to what Diane said,
02:00you know, actually having DHS serve as the central hub, you know, what we kind of called a civilian interface at the time, was very important.
02:09You know, if you think about what else was going on during this time, there was a lot of suspicion about sharing,
02:16and in particular about, you know, surveillance agencies in light of the, you know, Snowden disclosures, for instance.
02:25And so I think that, you know, the protections that Diane mentioned, you know, requiring the stripping out of PII was very important,
02:38but also sharing through DHS and then having DHS share across the federal government was a good innovation, I think, of the time as well.
02:47Mr. Schemek, anything to add there regarding privacy?
02:50Just the only thing I would add to it is, number one, as I made my statement, you know,
02:56we have not had anything realized in regards to any disclosures.
03:00Also, from a financial service industry standpoint, we take privacy extremely seriously.
03:05It's something that's core to how our business operates.
03:08So having those protections in there and really the focus on it in the act and the bill is really important.
03:15Ms. Keene?
03:17I would agree.
03:18I think, you know, they've summed it up.
03:21There really has not been any, to my knowledge, concerns from a privacy perspective,
03:25and I think that that's one of the reasons that a clean authorization of it, you know, from a renewal standpoint is just critical.
03:30We can change what we need to change later, but what's working right now from a fundamental perspective is working.
03:36And that was my follow-up question, and you said clean re-author,
03:38which means you would all agree that there was no need to change the language when it comes to privacy, correct?
03:45Yes.
03:45Yeah.
03:46They all said yes, for the record.
03:47Thank you very much for that.
03:51I do want to get to one more because we're talking about information sharing with the government, private to government,
03:59but can you all talk about some reflections on how this legislation changed information sharing amongst private-to-private entities
04:07and how it fostered that information sharing?
04:12Feel free to jump in, whoever wants to.
04:17I mean, I'll jump in.
04:19You know, talking to, you know, for instance, you know, the executive director of the ITI SEC recently, you know,
04:31it does seem like, and talking about some of the types of things that CISA-15 really has allowed the private sector to do,
04:41I mean, I think there are criticisms of whether the private government sharing can be better.
04:49I mean, we've heard some of those already today.
04:51But the private-to-private sharing is really a critical and maybe sometimes overlooked aspect of what CISA-15 really enabled.
05:00You know, again, if you look at the ISACs, again, some of the ISACs have less than 100 people.
05:06Some of them have thousands of companies involved.
05:09You look at the National Council of ISACs, you know, the state and local, tribal and territorial ISAC.
05:17You know, all of these ISACs are allow, you know, it's kind of a concept of the few protecting the many.
05:24And they're, you know, very important in particular for those small and medium-sized businesses who can perhaps participate through ISACs
05:31because they don't have, you know, million-dollar budgets to spend on cybersecurity.
05:36So I think there's really been a pretty dramatic increase in private-to-private sharing that has been enabled because of CISA-15.
