Feb 182016

DHS Issues Guidance Pursuant to Cybersecurity Act of 2015

Colleen Theresa Brown, Clayton G. Northouse and Michaelene E. Hanley
, , ,

The Cybersecurity Act of 2015, which included the long anticipated Cybersecurity Information Sharing Act or CISA, was passed on December 18, 2015 to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government. It also provided key liability shields for cyberthreat information sharing and network monitoring pursuant to the Act.  Under the Cybersecurity Act, the Department of Homeland Security (DHS) was designated to coordinate the sharing and was tasked with developing guidelines to facilitate implementation within 90 days.

On February 16, 2015, DHS released four documents providing interim policies, procedures and guidelines for federal and private sector entities. Federal entity-specific guidance relates to interim procedures for the receipt and use of cyber threat indicators by federal entities and guidance regarding how the government shares the information after receipt. Additional guidance is directed to non-federal and private sector entities to assist in sharing information with the government. DHS also released interim guidelines to protect privacy interests and scrub personal information during the exchange of cyberthreats indicators.

Privacy Scrubbing and Notification. Privacy and civil liberties protections within CISA were hotly debated during the legislative process. DHS has attempted to address these concerns by establishing procedures to protect against and provide safeguards for the erroneous distribution or receipt of personal information.  These safeguards include notification to any United States person whose personal information was shared in violation of CISA. The privacy guidelines also include safeguarding measures, dissemination restrictions, sanctions, and audit procedures. The procedures outline how the government will be permitted to use the cyber threat information, including permitted minimal delays to modify the cyber threat indicator or measures to remove personal or identifying information of specific individuals; required auditing capabilities to facilitate the creation of statistics on cyberthreats sharing as well as the removal of personal information and notices issued for failure to remove personal information; and possible sanctions for violations of “the usage requirements set forth in the guidelines.”

Automated Indicator Sharing. The guidelines also detail sharing methods through the preferred Automated Indicator Sharing (AIS) method, as well as by web form and email submissions.

Liability Protections and Exemptions.  The non-federal entity guidance should be of particular interest to many companies. It reiterates that non-federal entities receive powerful “no cause of action” liability protection only when sharing pursuant to section 105(c), which codifies the sharing of cyber threat indicators and defensive measures with the federal government.  Even where action is not subject to such “no cause of action” liability protection, the law permits a company to monitor its systems, operate defensive measures, and share or receive cyber threat indicators or defensive measures  “notwithstanding any other provision of law” under sections 104(a), 104(b), and 104(c) respectively, which could operate to protect activity under the Act. The guidance also explains various exemptions for the information sharing from antitrust laws, disclosure laws, and certain regulatory uses, as well as confidentiality protections for financial and proprietary information submitted pursuant to the Act.

No Waiver of Privilege or FOIA release. Critically, the guidance emphasizes that sharing pursuant to CISA does not waive privilege. Moreover, the guidance clarifies that shared information will be considered “voluntarily shared,” which will help protect “appropriately shared information from disclosure under The Critical Infrastructure Information Act of 2002.” And with regard to the treatment of commercial, financial, and proprietary information, the guidance considers the legislative history and stresses that when a sharing entity so designates information, it will be treated “consistent with the privileges, protections, and any claims of propriety on such information” during all further governmental sharing and use. This guidance also specifically emphasizes that the “Act provides an exemption from federal state, tribal, or local government freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.”

Not to Be Used for Regulatory Enforcement. The DHS guidance also provides further comfort that cyberthreat information shared pursuant to the Act should not be used against sharing companies in regulatory enforcement actions.  DHS again considered the legislative history in emphasizing that governmental bodies cannot use any shared cyber threat indicators and defensive measures “to regulate, including an enforcement action, the lawful activity of any non- federal entity or any activity taken by a non-federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator.”

Critically, this exemption would not extend to unlawful activity.  These governmental bodies may, however, use shared information to “inform the development or implementation of a regulation relating to” information systems and the prevention or mitigation of cybersecurity threats. Importantly, the guidance states that this is a narrow exception, only intended “to ensure that government agencies with regulatory authority understand the current landscape of cyber threats and those facing the particular regulatory sector over which they have cognizance.”

Organizational Issue and Responsibilities.  The guidance also demonstrates how Executive Order 13636, Improving Critical Infrastructure Cybersecurity applies in conjunction with the new law and elaborates on the roles and responsibilities of federal entities and non-federal entities alike.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Clayton G. Northouse

cnorthouse@sidley.com

Michaelene E. Hanley

mhanley@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.