News 03.14.16

The Cybersecurity Act of 2015: A Brief Overview and What’s Next

Participation is Voluntary

The language of the Act emphasizes that participation in the information sharing framework is voluntary and explicitly prohibits conditioning any government benefit on participating. However, the Act notes that participation may become required as a function of changing industry standards or by contract.

Information Sharing Coordination

The Cybersecurity Act establishes a portal at the DHS and its National Cybersecurity & Communications Integration Center (NCCIC) to facilitate private-public cyber-threat information sharing and clarifies NCCIC’s statutory role in evaluating and responding to cybersecurity risks and threat indicators. The Act authorizes the president to transfer authority and responsibility to collect and disseminate cybersecurity threat information to an entity other than NCCIC (including outside the DHS), except that this role may not be transferred to the Department of Defense.

The law also allows the DHS, at its discretion, to disclose cyber-threat information it has received through the portal to other agencies or to the private sector. However, the DHS must take steps to ensure that personal information has been removed. The Act also exempts shared cyber-threat indicators from disclosure under the Freedom of Information Act (FOIA) and other “sunshine” or open-government laws.

Privacy Protections

While many feared the Act merely created an additional mechanism for government surveillance, the Act does have significant privacy protections. In the limited circumstances where threat indicators may be intertwined with personal information, the Act requires that private entities remove personal information prior to sharing and mandates that the DHS also remove personal data prior to further disclosures. The Cybersecurity Act also restricts the use of cyber-threat information, exempts it from FOIA disclosures, and imposes requirements to safeguard threat information that does contain personal information.

Section 104(d)(2) requires that private entities identify and remove such personal information not directly related to a cybersecurity threat before sharing information under the Act. Also, Section 103(b)(1)(E) requires development of procedures to identify and remove information “not directly related to a cybersecurity threat that such Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.” It also requires procedures to notify individuals whose personal information is known (or determined) to have been shared in violation of the law. Thus, the Act creates a double-scrubbing and notification process to prevent disclosures of personal information not critical to cybersecurity purposes.

The law further establishes several oversight mechanisms, including for the privacy protections requiring removal of personal information. The comptroller general of the United States is required to issue a report to Congress on the issue within three years. The report shall include an “assessment of the sufficiency of the policies, procedures and guidelines … relating to privacy and civil liberties.” Sec. 107(c).

Authorization for Monitoring and Defensive Measures

Section 104 includes “authorizations for preventing, detecting, analyzing and mitigating cybersecurity threats.” It states that private entities may engage in cybersecurity monitoring of their own information systems or those of others with authorization and written consent. It also specifies that private entities may use “defensive measures” for cybersecurity purposes to protect its rights and property or to protect other entities’ information systems with their authorization and written consent. A “defensive measure” is defined in broad and technology-neutral terms as “an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents or mitigates a known or suspected cybersecurity threat or security vulnerability.” Sec. 102(7)(A). The definition excludes any measure that “destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information … not owned by the private entity operating the measure” or another entity for which there is authorization to deploy such measures. Sec. 102(7)(B). It is unclear what new permissions, if any, these provisions grant; indeed, the law clarifies that it is not meant to “limit otherwise lawful activity.” Sec. 104(a)(2)(B); 104(b)(2)(B).

Safe Harbor

The Cybersecurity Act provides important liability protections for private sector entities. Section 106 prohibits causes of action for activity relating to the sharing or receipt of cyber-threat information, decisions made to enhance cybersecurity based on such information, and authorized network monitoring. Of note, these liability protections do not include general protection for damages caused by a cyberattack, such as data breaches or for claims of negligence or breach of contractual cybersecurity obligations. Additionally, the liability shield provisions do not appear to extend to claims that personal information was disclosed in violation of the law’s privacy requirements, as the provisions extend to “sharing or receipt [of information] conducted in accordance with this title.” Sec. 106(b)(1) (emphasis added). In addition to the liability shield against private litigation risk, the Cybersecurity Act prohibits federal and state agencies from using cyber-threat indicators provided by the private sector to regulate (including by enforcement action) the otherwise lawful activities of private sector entities.

Critically, Section 106(c)(1) clarifies that nothing in the Cybersecurity Act should be construed to create a duty to share cyber-threat indicators or a duty to warn or otherwise act on cyber-threat indicators.

Health Care Cyber-threat Studies

Other provisions of the Cybersecurity Act require the Department of Health and Human Services (HHS) to convene a health care industry cybersecurity task force to report on cybersecurity challenges in the health care industry. They also direct HHS to develop voluntary cybersecurity standards for health care information that are consistent with the Health Insurance Portability and Accountability Act (HIPAA) and National Institute of Standards and Technology (NIST) standards. Importantly, these provisions require the input of several stakeholders, including HIPAA covered entities, patient advocates, vendors of health information technology, pharmaceutical and device manufacturers, among others.

Sunset Provision

While many of the key information sharing provisions sunset on September 30, 2025, the provisions and protections continue to apply to actions taken prior to that date.