Cybersecurity Information Sharing Act of 2015 Now Law
Cybersecurity has been a top priority recently in both the United States and the European Union (EU). On December 18, 2015, the Cybersecurity Information Sharing Act of 2015 (the Act) was passed by Congress as a rider to the must-pass 2016 omnibus spending package. Signed into law the same day, the Act aims to prevent breaches of consumer data by offering legal protections to incentivize companies to share information—including data from private citizens—about threats to their networks with government entities (federal and non-federal) and other businesses. The basic premise of the Act is that cyber attackers often repeat the same techniques and tactics on a wide range of targets, so allowing companies to communicate what they see and how they prevent cyber attacks heads off future hacking and online data theft.
Title I of the Act, “Cybersecurity Information Sharing,” establishes the core cybersecurity information sharing framework: a voluntary framework for real-time information sharing of “cyber threat indicators” and “defensive measures” between “non-federal entities” (defined to include state, tribal, or local governments) and “federal entities.” The Act provides liability protections and an antitrust exemption, such that “no cause of action shall lie or be maintained in any court against any private entity . . . for the sharing or receipt of a cyber threat indicator or defense measure” in accordance with the Act. Prior to sharing information by federal or non-federal entities, Title I requires the removal of “personal information of a specific individual or information that identifies a specific individual” that is “not directly related to a cybersecurity threat.” Notably, Title I is not intended to be construed to create “a duty to share” or a “duty to warn or act based on the receipt of” a cyber threat indicator or defensive measure.
Title II of the Act, “National Cybersecurity Advancement,” contains two subtitles. Subtitle A, “National Cybersecurity and Communications Integration Center," (the Center) amends the Homeland Security Act of 2002, 6 U.S.C. §§ 141 to 150, to add several provisions designating the Center, which is within the Department of Homeland Security (DHS), as the federal entity responsible for implementing the sharing of information authorized by Title I. The Center’s functions include, without limitation: engaging with international partners to collaborate on cybersecurity information sharing and enhance security and resilience of global cybersecurity; sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with federal and non-federal entities; designating an agency contact for non-federal agencies; and entering into voluntary information sharing relationships. Subtitle B, “Federal Cybersecurity Enhancement,” establishes new cybersecurity-related requirements for the federal government and amends existing laws to improve federal network security, advance internal defenses, and establish specific reporting requirements on government agencies.
Title III of the Act, “Federal Cybersecurity Workforce Assessment,” requires the government to assess and quantify the state of federal government cybersecurity workforce needs, including “the percentage of personnel with information technology, cybersecurity, or other cyber-related job functions,” “the level of preparedness of other civilian and noncivilian cyber personnel without existing credentials to take certification exams,” and “a strategy for mitigating any gaps [in workforce] with appropriate training and certification.”
Title IV, “Other Cyber Matters,” contains several cybersecurity-related provisions that require government studies, the development of voluntary best practices for cybersecurity, measures to improve cybersecurity in the health care industry, and an amendment to the access device fraud statute, 18 U.S.C. § 1029, to allow for the prosecution of foreign individuals for access device fraud even if none of their assets are within the jurisdiction of the United States.
Years in the making, the Act has been met with both praise and widespread criticism. Supporters, including IBM, believe the Act will strengthen cyber defenses to combat big hacks, such as those recently experienced by Anthem, Sony, and Home Depot, through cooperation and sharing of technical details on the latest digital threats. The information sharing concept of the Act is also not a United States-specific model. It is currently being considered by the EU, which recently provisionally agreed on a common set of rules and regulations for member states, including a EU-level strategic cooperation group to encourage the exchange of information to improve cybersecurity capabilities. The EU version of the Act, however, is only in its initial stages, but we will continue to monitor its progress to see how the final version might affect United States companies.
Despite years of discussion and negotiation, tech companies, civil liberties groups, and security experts, have decried the language of the Act as too broad and a way for government agencies to more easily keep tabs on consumers without their knowledge (particularly because companies can turn over private consumer data to DHS which is then passed to the NSA, DoD, and FBI). In this regard, privacy advocates see the Act as a free pass to monitor users and share their information with the government without a warrant. For these critics, the Act also improperly limits the focus to information sharing, which does not address the more critical issue of how public and private entities should protect themselves at the outset from hackers. It remains unclear how effective the Act will be or whether these concerns have any merit, but it is a start to address growing concerns about cybersecurity and the need for protection.
For more information or questions about the Cybersecurity Information Sharing Act, please contact Jonathan Klein (215.864.6887; firstname.lastname@example.org) or another member of our Cyber Law and Data Protection Group.