As we wrote last week, The Cybersecurity Act of 2015 – better known to some as the Cybersecurity Information Sharing Act of 2015 – was signed into law in December 2015. Privacy advocates had decried CISA in its original form as weakening privacy protections in regard to Internet traffic. When Congress slipped a revised version of CISA into a gigantic omnibus spending bill for the President’s up or down approval, some claimed the revised bill “stripped out even more of its remaining privacy protections.”
At the most general level, CISA is intended to make it unequivocally legal for Federal and non-Federal entities to monitor information systems and to share information with each other about potential cybersecurity threats. Forming an opinion as to whether the law – which is short on specifics – actually accomplishes this goal requires a pretty detailed understanding of the pre-CISA legal landscape, and the restrictions that existed (or arguably still exist) on monitoring traffic across information systems connected to the Internet.
But whether CISA succeeds in broadening the scope of lawful monitoring or not, it contains only two vague provisions that address the measures entities that gather data from Internet monitoring must take to secure the information once it has been collected. The first provision provides that non-Federal entities are expected to “implement and utilize a security control to protect against unauthorized access to or acquisition of” information about cybersecurity risks and defenses. Apparently, this provision means that, once information about cybersecurity risks is gathered by an entity monitoring for such risks, that information must be protected from unauthorized access, presumably so that the “bad guys” won’t know that they have been had.
The second provision concerns the treatment of private information that may be included in data that is gathered for the purpose of monitoring for cyber risks and which may be shared with other entities in an effort to decrease overall cybersecurity risk. Entities collecting and sharing such information are expected to:
(A) review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
(B) implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.
Notably, this provision deals exclusively with information that is shared. It says nothing about how non-Federal entities are expected to treat private information that is intercepted while lawfully monitoring their own information systems. But either way, whether what CISA seems to require in this regard is even possible – implementing a technical fix that can more or less automatically segregate personally identifiable information from “threat indicator” information and only share the latter without sharing the former – is more or less unknown as of this writing. This seems to be an on-point example of just the kind of thing privacy advocates feared in their opposition of CISA to begin with.
In addition to arguably increasing the scope of lawful monitoring of information systems, with little guidance on how information collected in that effort can be used, CISA also includes provisions designed to limit the liability of participating entities. The law expressly states that “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall promptly be dismissed, for the monitoring of an information system and information … that is conducted in accordance with this title.” A similar provision protects sharing and receiving certain information among Federal and non-Federal entities.
Notwithstanding, the law doesn’t entirely immunize entities from liability. It includes a provision that expressly preserves contractual rights and obligations:
Nothing in this title shall be construed—
(1) to amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any non-Federal entities, or between any non-Federal entity and a Federal entity….
In other words, it appears that the newly lawful (at least arguably) conduct generally encouraged by CISA can still be prohibited contractually. It is unclear how the Cyber Security Act will influence business behavior. It is a new piece of legislation, with expansive implications, that attempts to regulate a technological force that is still emerging and evolving. But change is coming, and entities planning to expand their monitoring activities or interested in sharing information collected under the auspices of the Act should first carefully review their contractual obligations, and conduct due diligence on the contractual obligations of those with whom they are exchanging information, before jumping into the brave new world that CISA is aimed at creating. Those who maintain information systems should determine the extent to which their monitoring and sharing activities may be limited by contract. And just as important, businesses who hold information that may implicate the privacy interests of data subjects should determine what, if any, measures are in place to protect those interests. This sort of review should be conducted routinely, so that the contractual rights and obligations of each party may continue to be aligned with present cybersecurity efforts.