Cybersecurity remains a top focus of government regulators, and the prevailing trend is to encourage information sharing between the government and private entities to combat cybersecurity threats. In line with this theme, on February 9, 2016, President Obama directed his administration to implement a Cybersecurity National Action Plan (CNAP) intended to, among other things, enhance cybersecurity awareness and protections. Part of CNAP includes the establishment of a Commission on Enhancing National Cybersecurity (the Commission), whose appointees were announced on April 13, 2016. One of the Commission’s goals is to create a policy for national cyber incident coordination that will foster communication between the government and private entities regarding cybersecurity incidents. More information regarding cybersecurity threats and the Federal Bureau of Investigation’s response to those threats is available via the Hot Topics in Law Enforcement webinar, hosted by Bradley’s Privacy and Information Security Team in April.
CNAP follows closely on the heels of the Cybersecurity Information Sharing Act (CISA), which became law on December 18, 2015. Like CNAP, CISA seeks to increase cybersecurity information sharing between federal and non-federal entities, and to this end, CISA provides protection from civil liability to non-federal entities sharing a “cyber threat indicator or defensive measure” with other private and governmental entities for “cybersecurity purposes.” The information that can be shared, however, is limited to information that is necessary to assist in detecting, preventing, or mitigating a cybersecurity threat. As a result, this safe harbor typically will not apply to personally identifiable information that financial institutions maintain on their customers, such as account numbers or social security numbers, and financial institutions may still face liability for unauthorized release of that information.
Both CNAP and CISA recognize that increased information sharing raises privacy concerns that must be balanced against the cybersecurity benefits of such sharing. To that end, in February 2016, the Department of Justice (DOJ) and Department of Homeland Security (DHS) published guidelines to aid private entities in sharing information with the government under CISA. The DOJ and DHS are expected to issue final guidelines on the sharing of information under CISA in June.
In advance of these final guidelines, financial institutions should carefully consider how they will protect their customers’ information if they choose to share information under CISA. CISA and CNAP indicate a clear trend towards increased information sharing, and financial institutions should have policies and procedures in place to protect private customer data and reduce their exposure to potential liability before participating in this sharing.