Senate's CISA subpoena bill adds privacy protections to DHS proposal

The Senate Homeland Security and Governmental Affairs Committee is preparing to release legislation that would give the Department of Homeland Security administrative subpoena powers to obtain subscriber information for vulnerable devices and systems connected to critical infrastructure.

The Cybersecurity Vulnerability Identification and Notification Act of 2019 would allow CISA to subpoena subscriber information for enterprise devices or systems, defined as those "commonly used to perform industrial, commercial, scientific, or governmental functions or processes that relate to critical infrastructure, including operational and industrial control systems, distributed control systems, and programmable logic controllers."

Subpoenas would be issued when the director of CISA identifies internet connected systems with specific vulnerabilities, is unable to identify the entity at risk and "has reason to believe" it relates to critical infrastructure. The Senate bill, which was obtained by FCW, adds a provision not included in the original DHS proposal specifying that the authority cannot not be used for information relating to "personal devices and systems, such as consumer mobile devices, home computers, residential wireless routers, or residential Internet enabled consumer devices."

The legislation gives CISA three months after passage to develop internal procedures and associated training for employees to address "the protection of and restriction on dissemination of nonpublic information obtained through a subpoena" as well as requirements that the agency not disseminate any nonpublic information obtained through the subpoena unless the party or entity gives consent or CISA is notified of a cybersecurity incident that specifically relates to the vulnerability that led them to issue a subpoena.

CISA must also develop procedures that would require them to destroy any personally identifiable information about a subscriber within six months of obtaining it if it relates to critical infrastructure and immediately if it doesn't.

Finally, CISA would need to develop criteria for formal assessments to determine whether a subpoena is necessary prior to issuing one.

No later than six months after establishing those internal procedures, the director of CISA would make public information detailing the purposes of issued subpoenas, the subpoena process, criteria for critical infrastructure security risk assessments, policies and procedures on retention and sharing of data and guidelines for how entities contacted by CISA may respond.

The agency must also provide annual reports to the House and Senate Homeland Security Committees on the number of subpoenas issued, how effective they've been mitigating critical infrastructure security vulnerabilities and other relevant information about how they're using their new powers.