CISAWhat many Americans might consider to be universally good news (the passing of a bill aimed at fighting cybersecurity threats) has come under heavy fire due to privacy concerns. Dubbed the Cybersecurity Information Sharing Act (CISA), the U.S. House of Representatives passed the bill in April of this year. Following a vote on Oct. 27, it was passed by the Senate with a majority vote of 74 to 21.

This bill comes on the heels of a year full of data breach after data breach, including the highly embarrassing Office of Personnel Management breach that proved even the federal government isn’t safe from cyber threats. Although proponents of CISA view it as a step toward solving the threat of data breaches, critics are pointing out just how much it fails to address the real issues American businesses face. What does all of this mean when it comes to the average U.S. citizen?

What is the purpose of the Cybersecurity Information Sharing Act?

CISA is intended to provide incentive for businesses to share information with each other as well as the federal government in order to help fight cybercrime. More specifically, the hope is that an open dialogue and sharing policy between businesses and government agencies will enable patterns or problems to be identified early rather than discovered down the road due to a lack of common knowledge. A number of amendments have been added since CISA passed through the House, including some that seek to protect the privacy of those whose data is shared between a company and the government.

Any personal information — like a customer database — that is shared is required to be scrubbed of sensitive data before the sharing happens. Additionally, those in favor of the bill point out that it is voluntary for businesses to share, so those that aren’t willing to expose their customers’ information can opt out. The fact that the government is doing something about cybersecurity is a step in the right direction, even if it’s just one step on a long road to real improvement.

What do the critics have to say?

Many people, from cybersecurity experts to business owners to college professors have criticized this legislation, asking for it to either be abandoned or seriously modified before being made into law. The reasons are varied, but it basically boils down to the concern that CISA does nothing to actually address cybersecurity issues — while allowing privacy protections to fall by the wayside. The nonprofit technology policy group Center for Democracy and Technology (CDT) has written an outline of the problems with the bill and its amendments, focusing on a few major issues, including:

The bill could turn into a “backdoor wiretap.” Essentially, CDT and others are worried that CISA will allow law enforcement to use information shared for purposes that have nothing to do with cybersecurity. The current wording of the bill allows it to supersede all law by authorizing companies to share with the government any user data or Internet communications that could qualify as “cyber threat indicators.” And any information that is volunteered to the Department of Homeland Security is required to be shared with the NSA, FBI and numerous other security agencies.

Businesses have no incentive to fix their existing security issues. The bill is designed to enhance and encourage information sharing between companies and the government, but as cybersecurity blogger Brian Krebs points out, this is something that already happens in abundance. Instead businesses should be focusing on what Krebs refers to as a “yawning gap in awareness and understanding” of the cybersecurity infrastructure they already have in place. In many instances over the past few years, the information that could have indicated a breach to a company had already been collected, but it lacked the human resources to actually process and understand what the information meant.

The Target breach is a perfect example of this — the warning signs were all there, but the company missed them and did not act until it was too late. It has been suggested by most of CISA’s critics that the real emphasis should not be on sharing information but on forcing companies to invest money and time into their cybersecurity and hiring IT experts who can ensure hackers can’t get in and information doesn’t get out. Given that CISA provides liability protection to companies that comply with the information sharing, it’s possible many may look at it as a “get out of jail free” card that can offer protection while allowing them to avoid spending money where they should.

How does all of this affect me?

As an average citizen, you might be wondering why any of this matters to you. You may not be in charge of a large company that collects and stores the data of thousands upon thousands of customers, but chances are you’re one of those customers. And that means it’s important that any legislation passed by the U.S. government to combat the serious, growing issue of cybersecurity actually does what it is supposed to do — without any unintended consequences. There is a lot of pressure on the government right now, especially in light of breaches within its own offices as well as within the healthcare industry, and it’s admirable that President Obama and Congress are making efforts to address this threat. However, it needs to be dealt with in the right way.

Many people consider CISA to be the answer, or at least a start to solving the problem. It’s likely, given the heavy fire CISA has been coming under, that further amendments will be made before the bill is passed into law. In the meantime, the best ordinary citizens can do is pay attention to what’s happening around them as well as be proactive in protecting their personal data. Identity theft is an unfortunate reality for the majority of people in the U.S., but you can protect yourself and prevent it from completely devastating your life if you should become a victim.

Read our reviews of identity theft protection services to learn how they can assist you in the event your identity is compromised as well as help monitor your credit reports and the Internet black market for suspicious activity. And follow our blog for tips on protecting your identity as well as the latest news on data breaches and cybersecurity threats.