After years of vigorous debate and numerous bills aimed at incentivizing cyber threat intelligence sharing having failed to become law, on December 18, 2015, President Obama signed an omnibus spending bill containing the Cybersecurity Information Sharing Act of 2015 (“CISA”). The statute is located in Title I of Division N of the bill, beginning on page 1728. Passage of CISA is a major victory for cybersecurity proponents in Congress and the private sector, many of whom have called for information sharing legislation for years. Although the Act raises some significant privacy concerns, the final text contains a number of provisions aimed at minimizing the impact on privacy of cyber threat sharing both among private entities and with (and within) the Federal government.
Passage of CISA is particularly important given the private sector’s long-recognized reluctance to share cyber threat information due to legal concerns. These include concerns regarding compliance with applicable privacy and antitrust laws; that shared information could be discoverable through a Freedom of Information Act (FOIA) request; that applicable legal privileges could be waived by sharing information; and that sharing information could lead to regulatory action or civil liability. CISA largely addresses these concerns and is expected to lead to a significant increase in cyber threat sharing. At the same time, it requires entities that share information to take certain basic precautions – for instance, with regard to the removal of personal information from shared information – and generally requires that sharing activities be for cybersecurity purposes in order to take advantage of many of the legal protections offered.
Among other things, CISA generally authorizes (1) private entities to monitor their information systems (and those they are authorized to monitor) for cybersecurity purposes; (2) non-federal entities to share with, as well as receive from, other non-federal entities or the federal government cyber threat indicators or defensive measures; and (3) entities that receive cyber threat indicators or defensive measures to use them for cybersecurity purposes. The statute also directs representatives of the federal government to develop and issue procedures to facilitate and promote the sharing of cyber threat indicators and defensive measures of varying levels of classification amongst various categories of federal and non-federal entities. This includes procedures that require federal entities that share cyber threat indicators to review the shared information prior to sharing it to assess whether it contains any information not directly related to a cybersecurity threat that the entity knows at that time of sharing to be personal information of a specific individual or information that identifies a specific individual, and remove that information. This can be achieved through the use of a “technical capability.”
The statute also provides liability protections for private entities that (1) monitor information systems or (2) share or receive cyber threat indicators or defensive measures, provided that these activities are conducted “in accordance with” the Act.
For an in-depth analysis of CISA, see our recent advisory on the statute.