To share or not to share — that is the question for companies when they have information about cybersecurity threats. New federal legislation which was adopted by the Senate on October 27, 2015 is designed to encourage companies to share information — with other companies and the federal government — about cybersecurity threats. The provisions of this new bill, Senate Bill 754, the Cybersecurity Information Sharing Act of 2015, are discussed more below.
Act Promotes Sharing. The Act provides liability protection to companies that voluntarily share “cyber threat indicators” or “defensive measures” with other private entities or a federal agency. Specifically, it requires the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the Department of Justice (DOJ) to develop and promulgate procedures to promote:
- the timely sharing of classified cyber threat indicators in the possession of the Federal Government with cleared representatives of relevant entities;
- the timely sharing with relevant entities of cyber threat indicators or information in the possession of the Federal Government that may be declassified and shared at an unclassified level;
- the sharing with relevant entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators in the possession of the Federal Government;
- the sharing with entities, if appropriate, of information in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats; and
- the periodic sharing, through publication and targeted outreach, of cybersecurity best practices that are developed based on ongoing analysis of cyber threat indicators and information in possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns (as defined in section 3 of the Small Business Act (15 U.S.C. 632)).
At the same time, any company “may share with, or receive from, any other entity or the Federal Government a cyber threat indicator or defensive measure.”
Why Would Companies Share Information? A company need not share information under the Act. So why would a company want to share the information? One reason is that the Act offers protection from lawsuits in some situations. For example, a company could share information which is inaccurate. The recipient could rely on the inaccurate information and be harmed. Or the disclosure could be from one entity in an industry to another entity in an industry. That type of disclosure between competitors can raise antitrust concerns. Even more so, companies sharing data could face suit by consumers who believe that sharing this information compromises the consumer’s privacy. Lawsuits stemming from disclosures approved by the bill would be prohibited unless there is “gross negligence” or “willful misconduct” by the disclosing company.
Another reason that companies tend not to share this type of threat information is the worry of negative publicity. The Act does not directly address this concern. But it may promote a culture where this type of sharing becomes more routine and therefore more acceptable. The Act’s provisions will sunset in 10 years, as adopted by voice vote.
Will it Become Law? Don’t go on a sharing-binge just yet. This is not the first bill of its kind to get passed in the last year. The Cybersecurity Information Sharing Act had companion bills – House Bills 1560 and 1731, the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act of 2015 – that passed the House on April 23, 2015, were combined, and received by the Senate on April 27, 2015. That combined bill also promoted sharing of cyber threat indicators, tasking DNI to develop and promulgate procedures to facilitate and promote similar sharing. In addition, it allowed a non-Federal entity for a cybersecurity purpose and consistent with requirements to:
- share a lawfully obtained cyber threat indicator or defensive measure with any other non-Federal entity or an appropriate Federal entity (other than the Department of Defense or any component of the Department, including the National Security Agency); and
- receive a cyber threat indicator or defensive measure from any other non-Federal entity or an appropriate Federal entity.
We now have two bills, that used to be companions, sitting in the other’s Congressional camp. Resolving the differences in the bills will likely take a few months. President Obama has expressed general support for this type of bill. This makes it more likely that the Act (or something similar) could become law in early 2016.