It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 (“CISA”), into law.
Much to the vexation of privacy advocates, CISA was buried in the 2,009-page $1.1 trillion spending bill. The Act provides liability protection to companies that voluntarily share “cyber threat indicators” or “defensive measures” with other private entities or a federal agency. The Act’s provisions will sunset in 10 years.
Cybersecurity Information Sharing Act of 2015 Hot Topics
Much debate has swirled around CISA before and after it passed the Senate and its companion passed the House. The following hot button issues came out in the following ways:
- Knows Standard. CISA requires that, prior to sharing cyber threat indicators, the entity remove personal information of a specific individual or information that identifies a specific individual if the entity knows the cyber threat information to contain this personal information. Privacy advocates argue that the burden of merely scrubbing personal information that the entity knows about is too lax. Earlier versions of the Act included language that put a greater burden on entities, such as “reasonably believes at the time of sharing” or “remove to the extent possible.”
- Broad Monitoring Power. CISA permits private companies, including Internet Service Providers (“ISPs”), for “cybersecurity purposes,” to monitor “an information system of such private entity; . . . [and] information that is stored on, processed by, or transiting an information system monitored by the private entity.” Privacy advocates worry that this language permits ISPs to monitor and access information for nearly any purpose, in contravention of the Wiretap Act and the Electronic Communications Privacy Act.
- DHS Portal. CISA directs that cyber threat information be shared through a Department of Homeland Security Portal, as opposed to a civilian agency, which could, arguably, provide a check on the use of this information.
- No Critical Infrastructure at Greatest Risk Provision. The version of CISA that passed the Senate in October 2015 contained a provision requiring the Secretary of Homeland Security to develop a strategy to mitigate risk of catastrophic attacks to critical infrastructure. Some argued that permitting the Secretary of Homeland Security to create cybersecurity standards would have the practical impact of regulation. The version of CISA contained in the spending bill did not have this provision.
- FOIA Exemption. A cyber threat indicator or defensive measure shared by or with the government is exempted from Freedom of Information Act disclosure under CISA.
Focus on Health Care
Contained in Title IV of the Cybersecurity Act of 2015, but not within CISA, was language specific to improving cybersecurity in the health care industry. Under this provision, the Department of Health and Human Services (“HHS”) is tasked with convening a task force within 90 days after enactment to address cybersecurity issues unique to the health care industry. Specifically, the task force is responsible for:
- analyzing how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;
- analyzing challenges and barriers private entities (excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber attacks;
- reviewing challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record;
- providing HHS with information to disseminate to health care industry stake holders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry;
- establishing a plan for implementing CISA, so that the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures; and
- reporting its findings and recommendations to the appropriate congressional committee.
Additionally, the Cybersecurity Act of 2015 tasks the Secretary of HHS with developing voluntary cybersecurity guidance for the health care industry. This could be a boon to health care organizations who have little guidance in this regard.
Though it has been a bumpy ride, sharing cyber threat information was given priority in the 114th Congress – now companies will work together to understand this new sharing methodology.