On December 18, 2016, President Obama signed into law the Federal Cybersecurity Act of 2015 (the Act). The long-awaited and heavily negotiated legislation recognizes the need for greater cybersecurity threat information sharing among public and private entities, encourages private entities to more freely engage in such sharing and permits private entities to take certain measures to protect themselves against cyber threats.
With respect to information sharing, the Act establishes a mechanism for sharing cybersecurity threat information among private sector entities and the federal government, with the Department of Homeland Security as the primary hub for that sharing. The Act provides broad safe harbors for private entities sharing information in accordance with its terms, exempting such entities from civil, regulatory and antitrust liability based on their sharing, and exempting shared information from the Freedom of Information Act. Further, the Act specifically provides that disclosure of cyber threat indicators or defensive measures (discussed below) to the federal government in accordance with the Act will not operate to waive privileges or protections provided by law, such as in trade secret.
The federal government’s usage of information obtained pursuant to the Act is limited to specified permissible uses. In addition, prior to sharing information under the Act, nonfederal entities are required to review the information and remove any information that the sharing entity “knows at the time of the sharing” to be personal or personally identifying information not directly related to a security threat.
With respect to measures that may be taken by a private entity to protect themselves, the Act authorizes private entities to monitor and use defensive measures to protect their information systems (and those of consenting entities). However, measures commonly considered and referred to as “hacking back” are specifically excluded from the defensive measures permitted by the Act. The U.S. Department of Homeland Security has released a document titled Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 to provide “information that will assist non-federal entities who elect to share cyber threat indicators with the Federal Government to do so in accordance with the Act.”
Private entities will now be able to more freely share what is often rapidly-evolving cyber threat information with one another and take defensive measures to protect themselves from those threats, avoiding circumstances where every new threat requires companies to repeatedly reinvent the wheel to protect their information and systems.