Private entities have broad new powers to monitor their information systems and share cybersecurity information under the Cybersecurity Act of 2015 (“Act”), which was signed on December 18, 2015 into law as part of the Consolidated Appropriations Act. Further, private entities are immune from liability for these actions if they comply with the Act’s requirements. However, the Act has been controversial because of privacy implications.
First, the Act allows a private entity to monitor its own information system and information stored on, processed by, or transiting its information system, if the monitoring is performed for cybersecurity purposes. With written permission, a private entity may also perform this monitoring for information systems of other private or federal entities. The term “cybersecurity purposes” is defined broadly as protection against: 1) an action, not protected by the First Amendment, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system; and 2) any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. Actions that solely involve a violation of a consumer term of service or a consumer licensing agreement are not considered cybersecurity threats.
This is a significant increase in authority for private companies, such as internet service providers. Previously, laws such as the Wiretap Act and the Stored Communications Act generally allowed such monitoring and disclosure of information only when necessary for providing that service or for the protection of the rights or property of the provider. However, the new authority to monitor for cybersecurity purposes is much broader. For example, George Washington University law professor Orin Kerr has suggested that the definition of cybersecurity threats might encompass a company monitoring its network to prevent employees from disclosing trade secrets.
Second, the Act allows private entities to share certain information with other non-federal entities or with the federal government for cybersecurity purposes. The entity must review information to be shared (or use a technical capability) and remove information that is not directly related to a cybersecurity threat and that is personal information of a specific individual or information that identifies a specific individual. Significantly, this requirement only applies when the entity has actual knowledge at the time of sharing of the personal content of such information.
The information that private entities may share consists of “defensive measures” and “cyber threat indicators.” Defensive measures are generally those that protect against known or suspected cybersecurity threats or security vulnerabilities. Cyber threat indicators consist of information that is necessary to describe or identify:
- malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
- a method of defeating a security control or exploitation of a security vulnerability;
- a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
- a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
- malicious cyber command and control;
- the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
- any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
- any combination of the above.
Private entities that comply with the Act’s requirements for monitoring and sharing information are immune from liability for these activities. Companies that are considering instituting a monitoring program or sharing information for cybersecurity purposes should review the Act’s requirements carefully and document their compliance.
Moreover, entities should continue to monitor developments on privacy and cybersecurity policy, especially as the Act focuses on information sharing instead of what entities can do to protect against a hack. The Act is has been criticized by privacy advocates, and a repeal bill has already been introduced in the House. Putting aside whether the Act should be repealed or whether it allows information to be shared with the government without a warrant as some critics have argued, additional privacy guidance should be forthcoming. By February 16, 2016, the Act requires the Attorney General and the Secretary of Homeland Security to publish to Congress interim guidelines on privacy and civil liberties to govern the use of information gained by federal entities under the Act. Final guidelines are to be published by June 15, 2016.