Morrison & Foerster explains Long-Awaited Cyber Information Sharing Bill Enacted

After more than four years of congressional consideration of cyber issues, legislation to authorize companies to share cyber threat information has finally been enacted. On December 18, 2015, President Obama signed into law the omnibus federal government spending and tax bill for 2016, the Consolidated Appropriations Act, 2016 (H.R. 2029), passed by the Senate and House earlier in the day, thereby avoiding the short-term prospect of a government shutdown. Among the bill’s nearly 900 pages is the long-awaited cyber information sharing bill broadly supported by industry. Specifically, Division N of H.R. 2029 includes the Cybersecurity Act of 2015 (the “Cybersecurity Act” or the “Act”). The Cybersecurity Act is similar to the Cybersecurity Information Sharing Act of 2015 (S. 754), or “CISA,” that the Senate passed by a significant bipartisan vote in October.

Following the Senate’s passage of CISA, an informal conference of relevant Senate and House Committees (e.g., the Senate Intelligence Committee) negotiated compromise legislation, using CISA as the base text. Similar to CISA, the resulting Cybersecurity Act is intended to help protect against growing and constantly evolving cyber threats by authorizing companies to take specific steps designed to combat these threats, and removing potential or perceived obstacles that may cause companies not to engage in the activities authorized by the Act. While the Cybersecurity Act addresses a variety of cybersecurity topics, including, for example, enhancements to the federal government’s own cybersecurity and a federal cybersecurity workforce initiative, the main focus of the new law from a private sector perspective is Title I.

Title I of the Cybersecurity Act specifically authorizes companies to engage in three types of activities in order to combat cyber threats:

  1. sharing cyber threat information with other companies and the federal government;
  2. monitoring their information systems for cyber threats; and
  3. conducting defensive measures to protect their information systems from cyber threats.

Title I also includes a number of additional protections designed to remove obstacles that may cause companies to avoid these voluntary activities, including, for example, protections from liability for sharing cyber threat information and monitoring information systems, as well as Freedom of Information Act (“FOIA”), antitrust and other protections.

The Cybersecurity Act is a long and complex piece of legislation. The following provides an overview of certain key provisions, including the bill’s authorizations and protections from liability. The following overview, however, generally does not address provisions of the Act that are focused on the federal government. For example, this overview does not address the Act’s limitations on how the government may use cyber threat information, including, for example, limitations on the use of such information for regulatory purposes.

Authorizations to Share, Monitor and Defend

In order to protect against and combat cyber threats, the Cybersecurity Act specifically authorizes companies to share cyber threat information with other companies and the federal government and to monitor and operate defensive measures on their information systems. The Cybersecurity Act’s authorizations, however, are not without limitations. For example, the Act authorizes companies to engage in these activities only for “cybersecurity purposes.” As a result, the term “cybersecurity purposes” is critical in defining the scope of the authorizations and Title I of the Act generally. In this regard, the term is defined as “the purpose of protecting an information system or information that is [handled by] an information system from a cybersecurity threat or security vulnerability.” Cybersecurity Act § 102(4).

Before discussing the authorizations in more detail, it is important to highlight the voluntary nature of the Act. That is, it is important to clarify that the Act’s authorizations are not a mandate. In fact, the Cybersecurity Act includes two provisions that stress the voluntary nature of the law. For example, the Act provides that its provisions shall not be construed “to subject any entity to liability for choosing not to engage in the voluntary activities authorized in” the Act. Cybersecurity Act § 108(i). In addition, the Act includes a rule of construction to clarify that the Act does not create a duty to: (1) share cyber threat information; or (2) “warn or act based on the receipt of” cyber threat information. Cybersecurity Act § 106(c). Nonetheless, in order to obtain certain protections provided under the Act (e.g., liability protections for sharing), a company will be required to follow requirements that are conditions for such protection (e.g., the scrubbing of certain personal information).

Sharing

The Cybersecurity Act specifically authorizes a company, “notwithstanding any other provision of law” and “for a cybersecurity purpose,” to share with, or receive from, any other company or the federal government a “cyber threat indicator”1 or “defensive measure.” Cybersecurity Act § 104(c)(1). By clarifying that a company may share cyber threat information “notwithstanding any other provision of law,” the Cybersecurity Act permits the sharing of information regardless of prohibitions that may limit such sharing under other law (e.g., the Right to Financial Privacy Act limitations on a financial institution sharing customer information with the federal government), so long as such sharing is done in accordance with the Act, as discussed below. That is, so long as a company follows the conditions that the Act imposes for the sharing of cyber threat information, a company may share such information even where privacy law may limit or prohibit such sharing.

Monitoring

The Cybersecurity Act specifically authorizes a company, “[n]otwithstanding any other provision of law” and “for cybersecurity purposes,” to “monitor”:

  • its own information systems;
  • the information systems of another company or a federal entity, if such third party has authorized and provided written consent for such monitoring; and
  • information that is handled by an information system that the company is permitted to monitor.

Cybersecurity Act § 104(a)(1). In this regard, the term “monitor” is defined as “to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system.” Cybersecurity Act § 102(13). Similar to the authorization for sharing cyber threat information, by clarifying that a private sector entity can monitor its information systems “notwithstanding any other provision of law,” the Cybersecurity Act permits such monitoring notwithstanding prohibitions on such activity under other law, such as wiretapping laws, so long as the monitoring is conducted in accordance with the Act. Nonetheless, the Act does not authorize companies to monitor the information systems of third parties (e.g., their customers) without written consent.

Defending

Finally, the Cybersecurity Act authorizes a company, “[n]otwithstanding any other provision of law” and “for cybersecurity purposes,” to operate a “defensive measure” on:

  1. its own information systems; or
  2. the information systems of another company or a federal entity, if such third party has provided written consent for the operation of such defensive measures.

Cybersecurity Act § 104(b)(1). In general, the term “defensive measure” is defined as “an action, device, procedure, signature, technique, or other measure applied to an information system or information that is [handled by] an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.” Cybersecurity Act § 102(7)(A). The term, however, excludes “hack-back” activities. Specifically, the term is defined to exclude “a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information [handled by] such information system not owned by” the company or another entity that has provided consent for the operation of such measure. Cybersecurity Act § 102(7)(B). In addition, similar to the limitations on monitoring, the Act does not authorize companies to conduct defensive measures on the information systems of third parties (e.g., their customers) without written consent.

Privacy Protections

Throughout the years-long consideration of cyber issues in Congress, certain privacy advocates have been critical of cyber legislation, particularly where the legislation is designed to encourage the sharing of information with the federal government. Although the privacy “debate” has largely ignored the fact that the type of information shared today within the private sector and with the federal government is typically technical in nature (e.g., threat signatures), as opposed to information about individuals, revelations relating to Edward Snowden and the National Security Agency bulk collection of data led some opponents of cyber legislation to characterize information sharing legislation as a new form of government surveillance. In order to address these and other privacy concerns, the Cybersecurity Act includes a number of provisions that address privacy considerations, from both a private sector and a federal government perspective.

Private Sector

A critical condition on the Cybersecurity Act’s authorization for companies to share cyber threat information is a requirement to first remove certain personal information. In this regard, the Act provides that a company, prior to sharing cyber threat information, must either “scrub” certain personal information from the cyber threat information or put in place a technological process to do such scrubbing. Specifically, the Cybersecurity Act provides that a company, before sharing a cyber threat indicator with a third party, must either:

  • review the cyber threat indicator to assess whether it contains any information “not directly related to a cybersecurity threat” that the entity “knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual” and remove such information”; or
  • implement and use a technical capability that is “configured to remove” any information “not directly related to a cybersecurity threat” that the entity “knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.”

Cybersecurity Act § 104(d)(2). It is important to highlight that this does not impose an obligation to scrub all personal information. Instead, a company would only be required to remove personal information that it “knows” is “not directly related to a cybersecurity threat.” Depending on the context, cyber threat information that a company would consider sharing may in fact include personal information directly related to the threat. For example, in the context of a company being subjected to a DDoS attack, the company should be able to share the IP addresses from which the attack is emanating (even assuming that an IP address could be considered information that identifies a specific individual) because such information is directly related to the attack.

The Cybersecurity Act also imposes limitations on how companies may use cyber threat information shared pursuant to the new law. For example, the Act provides that a cyber threat indicator or defensive measure shared or received pursuant to the law may only be:

  1. used by a private sector entity for monitoring and defensive measure activities authorized by the legislation; or
  2. otherwise used, retained or further shared by a private sector entity, subject to otherwise applicable law or restrictions placed by the entity that originally shared the information.

Cybersecurity Act § 104(d)(3). In addition, the Cybersecurity Act imposes a safeguards requirement for information shared pursuant to the Act. Specifically, the Act provides that a company sharing or receiving cyber threat indicators or defensive measures, monitoring an information system or operating a defensive measure must “implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure.” Cybersecurity Act § 104(d)(1).

Federal Government

The Cybersecurity Act includes a number of additional privacy protections, focused largely on the federal government’s handling of information shared pursuant to the Act. For example, the Act directs the Secretary of the Department of Homeland Security (“DHS”) and the Attorney General (“AG”) to issue “guidelines relating to privacy and civil liberties [to] govern the receipt, retention, use, and dissemination of cyber threat indicators” obtained by the federal government in connection with the Act. Cybersecurity Act § 105(b)(1). Among other things, the guidelines are required to address fair information practice principles and to include protections for the confidentiality of cyber threat information that includes personal information. Cybersecurity Act § 105(b)(3).

The Act also directs the Secretary of DHS, the Director of National Intelligence, the Secretary of Defense and the AG to jointly develop procedures to encourage the federal government to share classified and non-classified cyber threat information with the private sector and with relevant federal entities. Cybersecurity Act § 103(a). The procedures, however, must also address certain privacy considerations. For example, the procedures must require a federal entity to conduct its own “scrub” of personal information before sharing cyber threat indicators, even if the information was already scrubbed by a company that shared the information with the federal government. Cybersecurity Act § 103(b)(1)(E). In addition, the procedures must provide for notice to any U.S. person whose personal information “is known or determined to have been shared by a Federal entity in violation of” the Act. Cybersecurity Act § 103(b)(1)(F).

Liability Protections

The Cybersecurity Act includes significant liability protections for companies that share cyber threat information with third parties and/or monitor their own information systems, so long as such activity is conducted in accordance with the Act. The Cybersecurity Act, however, does not provide similar express liability protection for conducting defensive measures.

Specifically, the Cybersecurity Act provides that “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure”:

  • if the sharing or receipt is conducted in accordance with the Act;
  • for the sharing of information with the federal government through electronic means, the information is shared through a “portal” that is to be established by DHS; and
  • for the sharing of cyber threat indicators or defensive measures with the federal government, the information is shared after the earlier of: (A) 60 days after the date of enactment; or (B) the date on which DHS and the AG provide Congress with the policies and procedures and guidelines discussed above.

Cybersecurity Act § 106(b). In order for this liability protection to apply, a company sharing cyber threat information with third parties will need to ensure that it follows the Act’s requirement surrounding the scrubbing of personal information discussed above. In addition, by making liability protection for sharing information electronically with the federal government contingent on sharing information through a DHS “portal,” the Act is designed to steer companies to share with the federal government through a centralized point, as opposed to one-off sharing with a specific federal agency or department as commonly occurs today. That is, in order to obtain liability protection for sharing information with the federal government, a company must share the information through the DHS “portal” if the information will be shared electronically and outside certain exceptions.

In addition, the Cybersecurity Act provides that “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of an information system and information” that is conducted in accordance with the Act. Cybersecurity Act § 106(a). In particular, this liability protection would only extend to a company’s monitoring activities that are for “cybersecurity purposes” and conducted on its own information systems or those of a third party who has authorized and provided written consent for such monitoring.

FOIA, Antitrust and Other Protections

The Cybersecurity Act includes a number of additional protections designed to address concerns that may cause companies to avoid sharing cyber threat information with either the federal government or other companies. For example, the Cybersecurity Act includes FOIA protection. Specifically, the Act provides that cyber threat information shared with the federal government shall be “exempt from disclosure under [FOIA], and any State, tribal, or local provision of law requiring disclosure of information or records” and shall be “withheld, without discretion, from the public under [FOIA], and any State, tribal, or local provision of law requiring disclosure of information or records.” Cybersecurity Act § 105(d)(3). The Act also provides that a company does not waive any applicable privilege or protection provided by law (including trade secret protection) by providing cyber threat information to the federal government. Cybersecurity Act § 105(d)(1).

In addition, the Cybersecurity Act includes antitrust protections for the sharing of cyber threat information among companies. In this regard, the Act generally provides that it is not a violation of antitrust laws for two or more companies “to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under” the Act. Cybersecurity Act § 104(e)(1). This antitrust protection would only apply with respect to efforts to prevent, investigate or mitigate cyber threats and would not extend to, for example, any activity involving price-fixing, allocating or monopolizing a market or exchanging customer lists or information regarding future competitive planning. Cybersecurity Act §§ 104(e)(2), 108(e).

Sunset

It is worth noting that Title I of the Cybersecurity Act, which includes the authorizations to share, monitor and conduct defensive measures, also includes a roughly 10-year sunset provision. Specifically, the Act provides that Title I is effective “beginning on the date of enactment . . . and ending on September 30, 2025.” Cybersecurity Act § 111(a). As a result, similar to the approach taken by Congress with respect to certain other laws, such as many provisions of the USA PATRIOT Act, the Cybersecurity Act will require congressional reauthorization in order to continue to be effective following the sunset.

ENDNOTES

[1] The term “cyber threat indicator” is defined as information that is “necessary to describe or identify” specific cyber threats, such as malicious reconnaissance, security vulnerabilities, malicious command and control or “the actual or potential harm caused by an incident.” Cybersecurity Act § 102(6).

The full memorandum was originally published by Morrison & Foerster on December 22, 2015, and is available here.