On December 16, 2015, leaders in the U.S. House of Representatives and Senate released a $1.1 trillion omnibus spending bill that contained cybersecurity information sharing language that is based on a compromise between the Cybersecurity Information Sharing Act, which passed in the Senate in October, and two cybersecurity information sharing bills that passed in the House earlier this year. Specifically, the omnibus spending bill included Division N, the Cybersecurity Act of 2015 (the “Act”). Notably the Act:
- Does not contain the Senate’s provision concerning critical infrastructure at greatest risk. The language required government-directed agencies to report to Congress on the status of cyber incident reporting and develop potential cyber mitigation strategies at critical infrastructure at greatest risk. Many industry advocates expressed concern that this language could be the precursor to cybersecurity regulations regarding certain critical infrastructure facilities.
- Adopts the “knows at the time of sharing” standard for removal of personal information from shared cybersecurity information, as opposed to the higher “reasonably believes at the time of sharing” or “removes to the extent possible” standards.
- Directs that cybersecurity information be shared with the Federal government through a Department of Homeland Security (“DHS”) Portal, but allows the President to designate other portals (including, potentially, the Federal Bureau of Investigation) to also receive shared cybersecurity information.
- Provides liability protection for private entities that share cybersecurity information through the DHS portal, as well as through the presidentially-designated portals.
- Exempts shared cybersecurity information from Freedom of Information Act (“FOIA”) disclosure under existing FOIA exemptions.
- Adopts the Senate’s longer 10-year sunset.
The House is scheduled to vote on the omnibus spending bill on Friday, with the Senate to follow. The Obama Administration has already signaled that it supports the bill.