Businesses concerned about combating cyber threats got an unexpected gift from Washington in the final weeks of 2015 with the passage of long-stalled cyber-sharing legislation that encourages private enterprises and the federal government to voluntarily share certain cyber threat information while limiting the private sector’s liability for such sharing.
On Dec. 18, 2015, Congress passed and President Barack Obama signed into law the Consolidated Appropriations Act of 2016 (H.R. 2029), an omnibus $1.1 trillion spending bill that ensures the lights will stay on at most federal agencies throughout FY 2016. Enacted just in time for the holidays – and the holiday recess – H.R. 2029 also contained the Cybersecurity Act of 2015 (“the Act”), legislation that seeks to combat cybersecurity risks by, among other things, allowing private sector and other non-federal government entities to share “cyber threat indicators” and “defensive measures” with one another as well as with federal agencies.
The Act is one of the most important cybersecurity-related laws to be passed in recent memory, as it opens the door to greater public-private sector cooperation in identifying emerging cyber threats while resolving a number of concerns that had inhibited information sharing in the past. For instance, though the federal government tried to foster greater cyber-threat information sharing between the public and private sectors prior to the Act’s passage, businesses were reluctant to cooperate out of the fear that regulators would use such information to take adverse enforcement actions against them. The Act now exempts companies from civil or regulatory liability when they share information in accordance with the new cyber-sharing law.
The sharing provisions and liability protections incentivizes voluntary sharing of cyber-threat information and fosters cooperation between the public and private sectors necessary to respond to ever-evolving cyber threats. Although the Act supersedes any state law that conflicts with information sharing authorized under it, the Act does not exonerate healthcare entities, financial institutions, and other businesses from their duties under other federal and state laws to protect individually-identifiable information within their control. This means that any company participating in any information sharing program must otherwise act in accordance with its existing privacy and data security obligations.
For instance, the Act does not absolve HIPAA-covered healthcare entities from their duties under the HIPAA Privacy and Security Rules to guard protected health information (PHI). It remains to be seen whether what is considered individually-identifiable under this statute will align with what is considered individually-identifiable under HIPAA. The Act provides for HHS to submit to Congress a plan to improve cyber preparedness in health care, including “information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry.” The steps should be consistent with the HIPAA Security Rule, but the Act makes clear that the cyber preparedness steps are to be voluntary, and that nothing in the statute authorizes HHS to audit compliance with the steps or require their adoption.
What Does the Cybersecurity Act Permit?
The Cybersecurity Act allows companies in every industry to conduct a wide-range of information sharing and other cybersecurity threat monitoring activities: Sharing Information with the Federal Government & other Non-Federal Entities
The Cybersecurity Act’s major information sharing provision permits “non-federal entities” – any person, private entity, or state, local, or tribal government – to voluntarily share or receive “cyber threat indicators” or “defensive measures” from any other non-federal entity or the federal government. However, cyber threat indicators or defensive measures can only be shared or received when they are used for a “cybersecurity purpose” – that is, for protecting information or an information system from a cyber threat or security vulnerability. Federal agencies cannot otherwise compel a private entity to share cyber threat indicators, such as conditioning the award of federal grants or contracts based on a private entity’s willingness to share information.
A “cyber threat indicator” is broadly defined to include information necessary to describe or identify cybersecurity threats – such as a security vulnerability, the means of defeating a security control or to exploit a vulnerability, or the resulting harm – as well as any other attribute of a cybersecurity threat. A “defensive measure,” on the other hand, is “an action, device, procedure, signature, technique, or other measure” that detects, prevents, or mitigates known or suspected cybersecurity threats or security vulnerabilities.
The Act also allows a “private entity” to monitor for cyber threats and deploy defensive measures on its own information systems, and the systems of others when specifically authorized in writing. A private entity is defined as any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity.
Under the Act, when monitoring occurs or defensive measures are used, security controls must be implemented to guard against the unauthorized use or disclosure of cyber threat indicators or defensive measures that contain personal information of a specific individual. Additionally, information identifying a specific person that is not directly related to a cyber threat must be removed prior to sharing a cyber threat indicator.
Under the Act, the provision of cyber threat indicators and defensive measures to the federal government does not waive any privilege or protection under the law, including trade secret protection.
Sharing Information by the Federal Government
Ensuring that cyber-sharing is not a one-way street, the Cybersecurity Act also permits federal agencies to share cyber threat indicators, defensive measures, or related information with both other federal agencies and non-federal entities. Additionally, the Act requires the federal government to assist businesses in combating cyber threats by periodically sharing cybersecurity best practices that it has developed with the assistance of the private sector, and give particular focus on the challenges faced by small businesses.
Use of Shared Information by a Non-Federal Entity
A non-federal entity is allowed to use cyber threat indicators and defensive measures it receives to protect its own information systems, or otherwise use, retain and further share such information when allowed by law. All uses, however, must be for a cybersecurity purpose.
Use of Shared Information by the Federal Government
A federal agency can use, disclose, or retain any shared information solely for a cybersecurity purpose; identifying cybersecurity threats or security vulnerabilities; responding to, preventing, or mitigating specific threats of death, serious bodily or economic harm, or terrorism; and investigating, prosecuting, or combating other prescribed criminal offenses. It should be noted that these authorized activities of the federal government resulting from the shared information may lead to a proceeding, such as a federal criminal prosecution. The Act does not prevent the disclosure of a cyber threat indicator or defensive measure in a criminal prosecution.
Companies concerned about the confidentiality or proprietary nature of their information should carefully consider the business impact of any information sharing when that information might be referenced in a public proceeding. The Act does, however, exempt shared information from disclosure under federal and state freedom of information acts.
The Cybersecurity Act declares that private entities are free from liability related to the monitoring of information systems, or the sharing or receipt of cyber threat indicators or defensive measures, as long as they do so in accordance with the Act.
The Act also prohibits federal, state, tribal or local governments from using cyber threat indicators and defensive measures shared with the federal government to regulate “the lawful activities of any non-federal entity.” In order for a company to avail itself of the liability protections, it is critical that the sharing of information under the Act be conducted strictly in accordance with the Act. This will require redaction of any personally identifiable information which is not directly related to a cyber security threat before such information is shared.
The Cybersecurity Act is a positive step in promoting information sharing necessary to combat rapidly evolving cyber threats. Companies should welcome the liability protections that many business leaders have long viewed as a critical piece in the broader cyber threat sharing puzzle. The challenge will be to ensure that any information sharing is done in accordance with the Act. This means that companies currently required to comply with privacy and security regulatory frameworks must review those obligations and assess their compliance with them before participating in any information sharing authorized by the Act.