The Cybersecurity Information Act of 2015
The Cybersecurity Information Sharing Act of 2015 (CISA)[1] was adopted to encourage voluntary sharing: (i) among private sector businesses; and (ii) between businesses and public entities, and the federal government, of information about cybersecurity threats, and the development of defensive measures. Information sharing by companies conflicts with the goal of protecting intellectual property and avoiding related legal risks. CISA is intended to overcome these obstacles and increase the sharing of information critical to enhancing cybersecurity protection.
Businesses will have access to information shared under CISA, and can use the information to monitor and defend against cyberthreats. As the number of companies participating (and sharing threat-related information) in CISA grows, it is hoped that this will lead to the development of common defensive techniques which can be used by many firms facing the same or similar threats.
Incentives to Share Information
- Liability Limitations
To encourage cybersecurity information sharing, CISA provides: (i) protection from liability for cybersecurity information sharing; (ii) an antitrust exemption for sharing cyber threat indicators (“CTIs”) and defensive measures (“DMs”) with competitors; (iii) protections from public disclosure laws; (iv) non-waiver of privileges and protection of trade secrets; and (v) protection of designated proprietary information.
However, while CISA protects companies in connection with the sharing of CTIs and DMs, it does not shield companies from potential liability in the event of a data breach or cyber-attack.
- Limitations on Government Use
Additionally, there is a limitation on regulators’ use of data shared under the auspices of CISA. The federal government may use the data only to identify a cyberthreat or its source, respond to or mitigate a specific threat of death or serious economic harm, or to investigate or prosecute certain offenses specified in the law. It may not use shared data in the supervision of, or to initiate an enforcement action against, a sharing company.
Companies will not be immune from government enforcement actions simply by participating in CISA-authorized information sharing. As with liability protections, companies will still be subject to the same laws requiring disclosure of breaches that they are currently subject to, even if they participate in the information sharing regime.
What CISA Does Not Do:
- Require information sharing;
- Create a duty to warn based on information received through CISA’s information sharing
- Create a federal breach notification requirement;
- Grant immunity from lawsuits in the event of a data breach
Implementation
On June 15, 2016, the Department of Homeland Security (“DHS”) issued Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under CISA (“Guidance”) [2]. The Guidance explains what constitutes CTIs and DMs, and clarifies how private companies can share CTIs and DMs in a way that receives liability protection under CISA.
There are four requirements for shared CTIs and DMs to receive full protection under CISA: (i) the information sharing must be for a cybersecurity purpose; (ii) the information must fit the definition of a CTI or DM; (iii) the information must not include personal information of a specific individual or that identifies a specific individual (“PII”); and (iv) the information must be shared through means specified by DHS.
Will Companies Participate in CISA?
Despite Congress’ attempt to encourage the development of a collective defense regime against cyber threats, many businesses may choose not to participate in CISA.
- A firm may believe its own cybersecurity competence is a competitive advantage.
- CISA applies only in the US. Many firms have international operations and will be concerned that shared cyber threat information will end up in the hands of entities outside the US.
- If the IT system of a company participating in CISA is breached, the concern is whether the shared information could be used by the regulator, not as the basis for a regulatory action, but as evidence that the company should have known how to prevent the attack
- A firm that fails to implement a DM could be subject to private litigation for failing to protect its customers.
In the six since it was enacted, companies have been slow to participate in CISA. It remains to be seen whether the new DHS Guidance and companies experience with CISA will increase the participation rate.
[1] CISA became effective December 18, 2015. Consolidated Appropriations Act, 2016, Pub. L. 114-113 (2015).
[2] https://www.us-cert.gov/sites/default/files/ais_files/Non-Federal_Entity_Sharing_Guidance_%28Sec 105%28a%29%29.pdf