On December 18, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of debate, the Cybersecurity Act establishes a framework to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government and provides liability shields for cyberthreat information sharing, as well as for specific actions undertaken to defend or monitor corporate networks. The Cybersecurity Act also designates the Department of Homeland Security (DHS) to coordinate cyberthreat information sharing.
The Cybersecurity Act has important implications for cooperation among industry participants and with regulatory agencies in development of effective cybersecurity programs. Public-private cyberthreat information sharing is an important step to improve companies’ defenses and responses to the changing cyberthreat landscape. Though the Act is effective immediately, the attorney general and DHS secretary must release guidelines within 90 days.
Information Sharing Coordination. The Cybersecurity Act establishes a portal at DHS and its National Cybersecurity & Communications Integration Center (NCCIC) to facilitate private-public cyberthreat information sharing and clarifies NCCIC’s statutory role in evaluating and responding to cybersecurity risks and threat indicators. In a compromise between competing predecessor bills passed by the House and Senate, the Cybersecurity Act authorizes the president to transfer authority and responsibility to collect and disseminate cybersecurity threat information to an entity other than NCCIC (including outside DHS), except that this role may not be transferred to the Department of Defense.
The law permits DHS, in its discretion, to disclose cyberthreat information it has received through the portal to other agencies or to the private sector. However, DHS must take steps to ensure that personal information has been removed (among other privacy-protective provisions). The Act also exempts shared cyberthreat indicators from disclosure under the Freedom of Information Act (FOIA) and other open-government laws.
A Voluntary Framework. The Cybersecurity Act emphasizes that participation in the information sharing framework is voluntary and prohibits conditioning any government benefit on participating. Participation may nevertheless become industry standard or be required through contractual or other legal obligations. For example, governmental agencies, particularly those with sector-specific authorities, may seek through their general oversight and enforcement powers to encourage participation to reduce cyber risk. Private sector entities may also require participation in information sharing through contract, particularly for vendors that process sensitive information on their behalf or otherwise support a company’s critical systems.
Prior versions of the Act had appeared less than voluntary for critical infrastructure entities. A controversial provision, known as Section 407 from the Senate bill, would have granted DHS additional authority over entities designated as critical infrastructure. This provision was removed from the final draft after significant industry criticism that the provision would have led to duplicative regulatory oversight, establish a path toward mandatory reporting and further complicated compliance efforts for critical infrastructure entities.
Privacy Protections. Even upon signing, some privacy and civil liberties groups continued to criticize the Cybersecurity Act as a privacy-invasive mechanism that will increase government surveillance and coerce personal information disclosures to the government. The law, however, incorporates significant privacy protections. In the limited circumstances where threat indicators may be intertwined with personal information, the Act requires that private entities remove personal information prior to sharing and mandates DHS also remove personal data prior to further disclosures. The Cybersecurity Act also restricts the use of cyberthreat information, exempts it from FOIA disclosures and imposes requirements to safeguard threat information that does contain personal information.
Section 104(d)(2) requires that private entities identify and remove such personal information not directly related to a cybersecurity threat before sharing information under the Act. Also, Section 103(b)(1)(E) requires development of procedures to identify and remove information “not directly related to a cybersecurity threat that such Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.” It also requires procedures to notify individuals whose personal information is known or determined to have been shared in violation of the law. Accordingly, there is essentially a double-scrubbing process and notification process to prevent disclosures of personal information not critical to cybersecurity purposes.
The law further establishes several oversight mechanisms, including for the privacy protections requiring removal of personal information. The comptroller general of the United States is required to issue a report to Congress on the issue within three years. The report shall include an “assessment of the sufficiency of the policies, procedures and guidelines … relating to privacy and civil liberties.” Sec. 107(c). (Prior versions of the bill vested such authority with the Privacy and Civil Liberties Oversight Board.)
Authorization for Monitoring and Defensive Measures. Section 104 includes “authorizations for preventing, detecting, analyzing and mitigating cybersecurity threats.” It states that private entities may engage in cybersecurity monitoring of their own information systems or those of others with authorization and written consent. It also specifies that private entities may use “defensive measures” for cybersecurity purposes to protect its rights and property or to protect other entities’ information systems with their authorization and written consent. A “defensive measure” is defined in broad and technology-neutral terms as “an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents or mitigates a known or suspected cybersecurity threat or security vulnerability.” Sec. 102(7)(A). The definition excludes any measure that “destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information … not owned by the private entity operating the measure” or another entity for which there is authorization to deploy such measures. Sec. 102(7)(B). It is unclear what new permissions, if any, these provisions grant; indeed, the law clarifies that it is not meant to “limit otherwise lawful activity.” Sec. 104(a)(2)(B); 104(b)(2)(B).
Liability Protections. The Cybersecurity Act provides important liability protections for private sector entities. Section 106 states that no cause of action shall lie for activity relating to the sharing or receipt of cyberthreat information, decisions made to enhance cybersecurity based on such information and authorized network monitoring. These liability protections, however, do not include general protection for damages caused by a cyberattack, such as data breaches or for claims of negligence or breach of contractual cybersecurity obligations. Further, the liability shield provisions would not appear to extend to claims that personal information was disclosed in violation of the law’s privacy requirements, as the provisions extend to “sharing or receipt [of information] conducted in accordance with this title.” Sec. 106(b)(1) (emphasis added). In addition to the liability shield against private litigation risk, the Cybersecurity Act prohibits federal and state agencies from using cyberthreat indicators provided by the private sector to regulate (including by enforcement action) the otherwise lawful activities of private sector entities.
Critically, Section 106(c)(1) clarifies that nothing in the Cybersecurity Act should be construed to create a duty to share cyberthreat indicators or a duty to warn or otherwise act on cyberthreat indicators.
Health Care Cyberthreat Studies. Other provisions of the Cybersecurity Act require the Department of Health and Human Services (HHS) to convene a health care industry cybersecurity task force to report on cybersecurity challenges in the health care industry. They also direct HHS to develop voluntary cybersecurity standards for health care information that are consistent with the Health Insurance Portability and Accountability Act (HIPAA) and National Institute of Standards and Technology (NIST) standards. Such provisions were not included in the House bills but were supported by some in the health care industry. Importantly, the provisions require the input of several stakeholders, including HIPAA covered entities, patient advocates, vendors of health information technology, pharmaceutical and device manufacturers, among others.
Sunset. Many of the key information sharing provisions of the Cybersecurity Act sunset on September 30, 2025, although the provisions (and protections) will continue to apply to actions taken prior to the sunset of the law.