alerts & publications
Cybersecurity Legislation Clears Important Senate HurdleNovember 4, 2015
After months of debate, the Senate passed cybersecurity legislation that if signed into law would enhance the sharing of information between the private sector and the federal government and provide important liability protection to firms that share that information. On October 27, 2015, S. 754, the “Cyber Information Sharing Act of 2015” (“CISA”), passed 74-21, with bipartisan and White House support. Before heading to the President’s desk, however, the bill must be reconciled in a conference committee with two cybersecurity bills passed by the House earlier this year: H.R. 1560, the “Protecting Cyber Networks Act” (“PCNA”), and H.R. 1731, the “National Cybersecurity Protection Advancement Act of 2015” (“NCPAA”).
CISA authorizes the federal government and the private sector to share information relating to cybersecurity threats, notwithstanding any other provision of both federal and state law. The bill defines “cybersecurity threats” broadly to include any action, not protected by the First Amendment, “on or through an information system that may result in an unauthorized effect to adversely impact the security, availability, confidentiality, or integrity of an information system that is stored on, processed by, or transiting an information system.”
Although cyber threat information may be shared with any federal agency or department, the bill designates the Department of Homeland Security (“DHS”) as the central repository for collecting and disseminating the information. Information on threat indicators also may be shared with state or local government, or private entities, so long as it is for a cybersecurity purpose.
The information shared with the federal government may be utilized for a variety of purposes beyond merely identifying, preventing, or responding to cyber threats. It may also be used to prevent any situation involving an imminent threat of death, serious bodily harm, or serious economic harm, and to prevent or prosecute various crimes including fraud, identity theft, and child sexual exploitation.
CISA permits private sector firms to use limited defensive measures to combat cyberattacks on a firm’s own information systems (or those of other firms with their permission) to prevent or mitigate a known or suspected cybersecurity threat or risk. The bill allows defensive measures to be implemented notwithstanding any other provision of federal or state law, but limits the ability of firms to deploy these measures to gain unauthorized access to or “substantially harm” another firm’s network.
CISA also protects from liability entities that monitor their information systems or share information relating to cybersecurity threats. First, the law specifically exempts from coverage of the antitrust laws situations in which two or more private entities share threat information for purposes of preventing, investigating, or mitigating a cybersecurity threat. CISA also forecloses any causes of action against any entity for the monitoring of its information systems and the sharing or receipt of cyber threat information, so long as it is shared by appropriate methods as outlined by the bill, including through the DHS clearinghouse when shared with the federal government. The civil liability protection in the bill does not apply to grossly negligent or willful misconduct. The bill also preempts all state law provisions that regulate the sharing of information on cyber threats and defensive measures, and the implementation of such measures.
Before entities share threat information, they must remove personal information from the data, so long as the entity knows the information is personal at the time it is shared. Firms are also required to remove any information identifying a specific person that is not directly related to a cybersecurity threat.
Furthermore, no later than 180 days after the enactment of CISA, the Attorney General must consult with various federal entities and such private entities with industry expertise as the Attorney General considers relevant to promulgate final guidelines on privacy and civil liberties. These guidelines will govern how the federal government receives, retains, uses, and disseminates cyber threat information shared with it under CISA.
Issues to be Reconciled in Conference Committee
Several provisions of the CISA must be reconciled with the House bills before any legislation heads to the President’s desk. Some of the key differences between the three bills include:
- Removal of personal information: the House bills require that private entities make “reasonable efforts” to remove information that is “reasonably believed” to be personal information not directly related to a cyber-threat. The Senate bill, on the other hand, does not contain this requirement and only requires the removal of personal information if the entity knows, at the time of sharing, that the information is personal and not related to any cyber threat.
- Designated Information Sharing Portal: CISA designates DHS as the federal government’s information sharing portal, and all information shared with the federal government must go through the portal for the bill’s liability protections to apply. On the other hand, the House bills do not mandate such a procedure in order for the liability protections to apply, allowing for broader information sharing. Furthermore, the Senate bill allows threat information to be shared with the intelligence community, including the National Security Agency, whereas the House bills prohibit such sharing.
- Scope of liability protection: the House and Senate bills differ slightly in the scope of liability protection, including precisely which conduct it applies to, the burden of proof in private litigation, and the level of misconduct necessary to defeat the private liability protection. Specifically, while the House and Senate bills offer protection from liability for negligent conduct, the protection in the House bills extends further to cover gross negligence, whereas the CISA expressly does not.
Furthermore, the White House, in its Statement of Administration Policy in support of CISA, identified a number of areas of concern it wanted Congress to address before any bill was sent for the President’s signature. These include preserving the leadership of civilian agencies in domestic cybersecurity, limiting the sharing of information to civilian entities, constraining the use of defensive measures, and enhancing the legislation’s privacy and civil liberties protections.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Matthew Close, an O’Melveny partner licensed to practice law in California, Randall Edwards, an O’Melveny partner licensed to practice law in California, Danielle Gray, an O’Melveny partner licensed to practice law in New York, Jeffrey Kilduff, an O'Melveny partner licensed to practice law in the District of Columbia and Virginia, David Leviss, an O’Melveny partner licensed to practice law in the District of Columbia and New York, Matthew Sheehan, an O’Melveny counsel licensed to practice law in the District of Columbia, New Jersey, and Pennsylvania, and Evan Schlom, an O’Melveny associate licensed to practice law in California and the District of Columbia contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2015 O'Melveny & Myers LLP. All Rights Reserved.
Thank you for your interest. Before you communicate with one of our attorneys, please note: Any comments our attorneys share with you are general information and not legal advice. No attorney-client relationship will exist between you or your business and O’Melveny or any of its attorneys unless conflicts have been cleared, our management has given its approval, and an engagement letter has been signed. Meanwhile, you agree: we have no duty to advise you or provide you with legal assistance; you will not divulge any confidences or send any confidential or sensitive information to our attorneys (we are not in a position to keep it confidential and might be required to convey it to our clients); and, you may not use this contact to attempt to disqualify O’Melveny from representing other clients adverse to you or your business. By clicking "accept" you acknowledge receipt and agree to all of the terms of this paragraph and our Disclaimer.