December 2015, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in earlier versions as the Cybersecurity Information Sharing Act). After years of trying to enact similar measures, the Cybersecurity Act of 2015 establishes a framework that facilitates and encourages the confidential sharing of cyber threat information between the federal government and the private sector.

Although effective immediately, the Attorney General and the Secretary of the Department of Homeland Security (DHS) must issue written guidance within 90 days. Below is a brief summary of important aspects of the statute.

Participation is Voluntary

The language of the statute emphasizes that participation in the information sharing framework is voluntary and specifically prohibits conditioning government benefits for participation. However, the statute notes that participation may be required due to changing industry standards or by contract.

Coordination of Information Sharing

The Cybersecurity Act establishes a portal at DHS and its National Cybersecurity & Communications Integration Center (NCCIC) to facilitate the sharing of information on private and public cyber threats, and clarifies NCCIC’s statutory role in assessing and responding to cybersecurity risks and threat indicators. The act authorizes the President to delegate authority and responsibility for the collection and dissemination of cybersecurity threat information to an entity other than NCCIC (including outside DHS), except that this role may not be delegated to DOD.

The law also allows DHS, at its discretion, to share cyber threat information obtained through the portal with other agencies or the private sector. However, DHS must take steps to ensure that personally identifiable information has been removed. The law also exempts shared cyber-threat indicators from disclosure under the Freedom of Information Act (FOIA) and other “sunshine” or open-government laws.

Privacy

While many feared that the Act merely created an additional mechanism for government surveillance, the Act has significant privacy protections. In the limited instances where threat indicators may be intertwined with personally identifiable information, the Act requires private companies to remove personally identifiable information prior to disclosure and mandates that DHS also remove personally identifiable information prior to further disclosures. The Cybersecurity Act also restricts the use of cyber threat information, exempts you from FOIA disclosures, and establishes requirements to protect threat information that contains personal information.

Section 104(d)(2) requires private entities to identify and remove such personal information that is not directly related to a cybersecurity threat before sharing information under the Act. In addition, Section 103(b)(1)(E) requires the development of procedures to identify and remove information that is “not directly related to a cybersecurity threat that such entity knows at the time of disclosure is personal information of a particular individual or information that identifies a particular individual. “It also requires procedures for notifying individuals whose personal information is known (or determined) to have been disclosed in violation of the Act. Thus, the Act creates a dual scrubbing-and-notification process to prevent disclosure of personal information that is not critical for cybersecurity purposes.

The act also establishes several oversight mechanisms, including privacy protections that require the removal of personal information. The comptroller general of the United States must submit a report to Congress on this issue within three years. The report shall include an ” assessment of the adequacy of policies, procedures, and guidelines … relating to privacy and civil liberties. “S 107(c).

Authorization of surveillance and counterintelligence measures.

Section 104 contains ” authorizations to prevent, detect, analyze, and mitigate cybersecurity threats. “It states that private companies may conduct cybersecurity monitoring of your own information systems or those of other companies with authorization and written consent. It also states that private companies may use “defensive measures” for cybersecurity purposes to protect your rights and property or to protect the information systems of other companies with your authorization and WRITTEN consent. A ” defensive measure ” is defined in broad and technology-neutral terms as” an action, device, procedure, signature, technique, or other measure applied to an information system or information stored, processed, or transmitted on an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or vulnerability. “S 102(7)(A). The definition excludes any measure that “destroys, renders unusable, provides unauthorized access to, or substantially damages an information system or information … not in the possession of the private entity operating the measure” or another entity authorized to provide such measures. § 102 ABS. 7 lit. B It is unclear what new authorizations, if any, these provisions grant; indeed, the statute makes clear that it is not intended to “restrict otherwise lawful activities. “S 104(a)(2)(B); 104(b)(2)(B).

Safe Harbor

The Cybersecurity Act provides important liability protections for private sector entities. Section 106 prohibits causes of action for activities related to sharing or receiving cyber threat information, making cybersecurity improvement decisions based on that information, and authorized network monitoring. Note that this liability protection does not include general protection for damages caused by a cyberattack, such as data breaches or claims for negligence or breach of contractual cybersecurity obligations. In addition, the liability protections do not appear to extend to claims that personally identifiable information was disclosed in violation of the Act’s privacy requirements, as the provisions extend to “disclosure or receipt [of information] under this title. “Sec. 106B(1) (emphasis added). In addition to liability protections against private litigation risk, the Cybersecurity Act prohibits federal and state agencies from using cyberthreat indicators provided by the private sector to regulate (including through enforcement actions) the otherwise lawful activities of private sector entities.

Critically, Section 106(c)(1) clarifies that nothing in the Cybersecurity Act should be construed to create a duty to share cyber threat indicators or a duty to warn or otherwise act on cyber threat indicators.

Health cyber threat studies.

Other provisions of the Cybersecurity Act require the Department of Health and Human Services (HHS) to convene a health care industry cybersecurity task force to report on cybersecurity challenges in the health care industry. They also direct HHS to develop voluntary cybersecurity standards for health information that are consistent with Health Insurance Portability and Accountability Act (HIPAA) and National Institute of Standards and Technology (NIST) standards. Importantly, these provisions require input from multiple stakeholders, including HIPAA-COVERED entities, patient advocates, health information technology providers, pharmaceutical and device manufacturers, among others.

Sunset Provision

September 2025, the provisions and protections continue to apply to actions taken before that date.