Jun 172016

DHS and DOJ released final rules for treatment of shared cybersecurity threat information under CISA

Colleen Theresa Brown, Alan Charles Raul and Fran Faircloth
, , , ,

The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015.  CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”

The new rules facilitate the immunities provision that shields participating companies from potential public or private causes of action for entities that “promptly” share cyber threat data with the government, and the guidance clarifies that the liability protections extend to business-to-business communications in addition to business-to-government communications: “CISA authorizes private entities to share cyber threat indicators and defensive measures with other private entities. . . . It also provides private entities with liability protection for conducting such sharing in accordance with CISA.” The guidance explains procedural methods for sharing information with the DHS’s National Cybersecurity and Communications Integration Center as well as other private Information Sharing and Analysis Centers or Organizations in real time and via non-automated means.  It also helps explain some of the key concepts for information sharing, particularly with regard to procedures to ensure privacy and civil liberties protections.

CISA  requires that companies remove personally identifiable information (PII) before sharing threat information with the government or other companies, unless that information is directly related to the threat. But CISA fails to define PII within its text, which complicates the process of sharing for organizations, which are left to identify and remove anything that qualifies as PII. The guidance expounds on the definitions of cyber threat indicators, defensive measures, and “types of information protected under otherwise applicable privacy laws …[that] are unlikely to be directly related to a cybersecurity threat.”  In particular, the guidance highlights certain categories of information that may likely be inappropriate to share, including: Protected Health information pursuant to HIPAA, human resource information, consumer information and history such as that covered by the FCRA, educational history such as that protected pursuant to FERPA, financial information such as that protected by GLBA, children’s information such as that protected under COPPA, and other identifying information protected by state privacy laws.  The Privacy and Civil Liberties Final Guidelines also further specify procedures to ensure that personal information is not improperly disclosed and that individuals’ notice and redress rights are ensured.

In sum, the final guidelines provide confirmation of the powerful legal basis for companies to engage in and share information about defensive measures, as well as to engage in cybersecurity-related network monitoring, and to share information about cyberthreat indicators with both government and non-government entities, and both through the DHS automated portal and through means other than the DHS portal.  As interpreted by DHS and DOJ, CISA should prove highly useful to corporate cybersecurity efforts.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Fran Faircloth

ffaircloth@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.