Cybersecurity Act of 2015
In light of the recent online security upheavals, cybersecurity is quickly growing as an industry, and as a concern to both the private and public sectors. This is not a major surprise, as the Sony hack had some notoriety due to the sheer amount of information that was accessed without authority by third parties. This goes to show that unless sufficiently protected, any organization's information can be hacked and disclosed to the public. So, does your organization have a cybersecurity plan? Does it use defensive measures to protect against the hackers? Most importantly, does your organization have information that it could share to help the federal government boost security?
On December 18, 2015, Congress passed and the President signed the Cybersecurity Information Sharing Act ("CISA"). Of specific note in this bill, is the focus in giving the private sector a way to patch vulnerabilities. This is done primarily through allowing three procedures: (i) monitoring information systems; (ii) operating defensive measures; and (iii) providing or receiving cyber threat indicators to protect against unauthorized access.
The first part of the bill encourages monitoring information systems. Interestingly enough, this does not have to be monitoring of the entity's system by the entity. An entity can observe the systems of another entity (private or federal) with written consent, and the information that is stored on, processed by, or passing through those systems if the observation is done for cybersecurity purposes.
CISA also enables an entity to operate defensive measures on its systems. In general, this would be any option applied to an information system that an entity has to detect, prevent, or mitigate vulnerability in its systems. However, these measures are limited, excluding options that would destroy or harm information systems of others and the data contained therein. Notably, hacking is also prohibited as are any measures that provide unauthorized access to a third party's system.
To achieve the desired effectiveness of the bill, sharing information with the federal government is an option. In sharing information with the federal government, the federal government will then share some of that information with other entities. Thus, if an entity discovered a defense to a common problem, it can share that information with the federal government, which will share that information with third parties. To incentivize this sharing, Congress has included a provision limiting liability for complying entities. These entities would be immune from most litigation stemming from sharing the information, including, but not limited to, antitrust lawsuits. In order to qualify, the entity must comply with CISA, or any analogous process passed by Congress in the future. Of particular note, is CISA's prohibition on turning in personal information, unless it is directly related to a cybersecurity threat. Furthermore, information shared is still proprietary to the entity that shared it with the federal government.
Are you not sure if this system is attractive enough to join? There is no penalty for refusing to share information with the government or other entities, although refusal also entails refusing the limited liability granted for compliance.
For more information about your rights, you should consult with an attorney. At our law firm, we assist clients regarding cybersecurity and online privacy matters.