alerts & publications

Cybersecurity Legislation Clears Important Senate Hurdle

After months of debate, the Senate passed cybersecurity legislation that if signed into law would enhance the sharing of information between the private sector and the federal government and provide important liability protection to firms that share that information. On October 27, 2015, S. 754, the “Cyber Information Sharing Act of 2015” (“CISA”), passed 74-21, with bipartisan and White House support. Before heading to the President’s desk, however, the bill must be reconciled in a conference committee with two cybersecurity bills passed by the House earlier this year: H.R. 1560, the “Protecting Cyber Networks Act” (“PCNA”), and H.R. 1731, the “National Cybersecurity Protection Advancement Act of 2015” (“NCPAA”).

Information Sharing

CISA authorizes the federal government and the private sector to share information relating to cybersecurity threats, notwithstanding any other provision of both federal and state law. The bill defines “cybersecurity threats” broadly to include any action, not protected by the First Amendment, “on or through an information system that may result in an unauthorized effect to adversely impact the security, availability, confidentiality, or integrity of an information system that is stored on, processed by, or transiting an information system.”

Although cyber threat information may be shared with any federal agency or department, the bill designates the Department of Homeland Security (“DHS”) as the central repository for collecting and disseminating the information. Information on threat indicators also may be shared with state or local government, or private entities, so long as it is for a cybersecurity purpose.

The information shared with the federal government may be utilized for a variety of purposes beyond merely identifying, preventing, or responding to cyber threats. It may also be used to prevent any situation involving an imminent threat of death, serious bodily harm, or serious economic harm, and to prevent or prosecute various crimes including fraud, identity theft, and child sexual exploitation.

Defensive Measures

CISA permits private sector firms to use limited defensive measures to combat cyberattacks on a firm’s own information systems (or those of other firms with their permission) to prevent or mitigate a known or suspected cybersecurity threat or risk. The bill allows defensive measures to be implemented notwithstanding any other provision of federal or state law, but limits the ability of firms to deploy these measures to gain unauthorized access to or “substantially harm” another firm’s network.

Liability Protections

CISA also protects from liability entities that monitor their information systems or share information relating to cybersecurity threats. First, the law specifically exempts from coverage of the antitrust laws situations in which two or more private entities share threat information for purposes of preventing, investigating, or mitigating a cybersecurity threat. CISA also forecloses any causes of action against any entity for the monitoring of its information systems and the sharing or receipt of cyber threat information, so long as it is shared by appropriate methods as outlined by the bill, including through the DHS clearinghouse when shared with the federal government. The civil liability protection in the bill does not apply to grossly negligent or willful misconduct. The bill also preempts all state law provisions that regulate the sharing of information on cyber threats and defensive measures, and the implementation of such measures.

Privacy

Before entities share threat information, they must remove personal information from the data, so long as the entity knows the information is personal at the time it is shared. Firms are also required to remove any information identifying a specific person that is not directly related to a cybersecurity threat.

Furthermore, no later than 180 days after the enactment of CISA, the Attorney General must consult with various federal entities and such private entities with industry expertise as the Attorney General considers relevant to promulgate final guidelines on privacy and civil liberties. These guidelines will govern how the federal government receives, retains, uses, and disseminates cyber threat information shared with it under CISA.

Issues to be Reconciled in Conference Committee

Several provisions of the CISA must be reconciled with the House bills before any legislation heads to the President’s desk. Some of the key differences between the three bills include:

• Removal of personal information: the House bills require that private entities make “reasonable efforts” to remove information that is “reasonably believed” to be personal information not directly related to a cyber-threat. The Senate bill, on the other hand, does not contain this requirement and only requires the removal of personal information if the entity knows, at the time of sharing, that the information is personal and not related to any cyber threat.
• Designated Information Sharing Portal: CISA designates DHS as the federal government’s information sharing portal, and all information shared with the federal government must go through the portal for the bill’s liability protections to apply. On the other hand, the House bills do not mandate such a procedure in order for the liability protections to apply, allowing for broader information sharing. Furthermore, the Senate bill allows threat information to be shared with the intelligence community, including the National Security Agency, whereas the House bills prohibit such sharing.
• Scope of liability protection: the House and Senate bills differ slightly in the scope of liability protection, including precisely which conduct it applies to, the burden of proof in private litigation, and the level of misconduct necessary to defeat the private liability protection. Specifically, while the House and Senate bills offer protection from liability for negligent conduct, the protection in the House bills extends further to cover gross negligence, whereas the CISA expressly does not.

Furthermore, the White House, in its Statement of Administration Policy in support of CISA, identified a number of areas of concern it wanted Congress to address before any bill was sent for the President’s signature. These include preserving the leadership of civilian agencies in domestic cybersecurity, limiting the sharing of information to civilian entities, constraining the use of defensive measures, and enhancing the legislation’s privacy and civil liberties protections.

Further Information

An analysis comparing the two House bills with CISA can be found here. The Statement of Administration Policy on CISA can be found here.