DHS Issues Guidance Pursuant to Cybersecurity Act of 2015
The Cybersecurity Act of 2015, which included the long anticipated Cybersecurity Information Sharing Act or CISA, was passed on December 18, 2015 to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government. It also provided key liability shields for cyberthreat information sharing and network monitoring pursuant to the Act. Under the Cybersecurity Act, the Department of Homeland Security (DHS) was designated to coordinate the sharing and was tasked with developing guidelines to facilitate implementation within 90 days.
On February 16, 2015, DHS released four documents providing interim policies, procedures and guidelines for federal and private sector entities. Federal entity-specific guidance relates to interim procedures for the receipt and use of cyber threat indicators by federal entities and guidance regarding how the government shares the information after receipt. Additional guidance is directed to non-federal and private sector entities to assist in sharing information with the government. DHS also released interim guidelines to protect privacy interests and scrub personal information during the exchange of cyberthreats indicators.
Privacy Scrubbing and Notification. Privacy and civil liberties protections within CISA were hotly debated during the legislative process. DHS has attempted to address these concerns by establishing procedures to protect against and provide safeguards for the erroneous distribution or receipt of personal information. These safeguards include notification to any United States person whose personal information was shared in violation of CISA. The privacy guidelines also include safeguarding measures, dissemination restrictions, sanctions, and audit procedures. The procedures outline how the government will be permitted to use the cyber threat information, including permitted minimal delays to modify the cyber threat indicator or measures to remove personal or identifying information of specific individuals; required auditing capabilities to facilitate the creation of statistics on cyberthreats sharing as well as the removal of personal information and notices issued for failure to remove personal information; and possible sanctions for violations of “the usage requirements set forth in the guidelines.”
Automated Indicator Sharing. The guidelines also detail sharing methods through the preferred Automated Indicator Sharing (AIS) method, as well as by web form and email submissions.
Liability Protections and Exemptions. The non-federal entity guidance should be of particular interest to many companies. It reiterates that non-federal entities receive powerful “no cause of action” liability protection only when sharing pursuant to section 105(c), which codifies the sharing of cyber threat indicators and defensive measures with the federal government. Even where action is not subject to such “no cause of action” liability protection, the law permits a company to monitor its systems, operate defensive measures, and share or receive cyber threat indicators or defensive measures “notwithstanding any other provision of law” under sections 104(a), 104(b), and 104(c) respectively, which could operate to protect activity under the Act. The guidance also explains various exemptions for the information sharing from antitrust laws, disclosure laws, and certain regulatory uses, as well as confidentiality protections for financial and proprietary information submitted pursuant to the Act.
No Waiver of Privilege or FOIA release. Critically, the guidance emphasizes that sharing pursuant to CISA does not waive privilege. Moreover, the guidance clarifies that shared information will be considered “voluntarily shared,” which will help protect “appropriately shared information from disclosure under The Critical Infrastructure Information Act of 2002.” And with regard to the treatment of commercial, financial, and proprietary information, the guidance considers the legislative history and stresses that when a sharing entity so designates information, it will be treated “consistent with the privileges, protections, and any claims of propriety on such information” during all further governmental sharing and use. This guidance also specifically emphasizes that the “Act provides an exemption from federal state, tribal, or local government freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.”
Not to Be Used for Regulatory Enforcement. The DHS guidance also provides further comfort that cyberthreat information shared pursuant to the Act should not be used against sharing companies in regulatory enforcement actions. DHS again considered the legislative history in emphasizing that governmental bodies cannot use any shared cyber threat indicators and defensive measures “to regulate, including an enforcement action, the lawful activity of any non- federal entity or any activity taken by a non-federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator.”
Critically, this exemption would not extend to unlawful activity. These governmental bodies may, however, use shared information to “inform the development or implementation of a regulation relating to” information systems and the prevention or mitigation of cybersecurity threats. Importantly, the guidance states that this is a narrow exception, only intended “to ensure that government agencies with regulatory authority understand the current landscape of cyber threats and those facing the particular regulatory sector over which they have cognizance.”
Organizational Issue and Responsibilities. The guidance also demonstrates how Executive Order 13636, Improving Critical Infrastructure Cybersecurity applies in conjunction with the new law and elaborates on the roles and responsibilities of federal entities and non-federal entities alike.