What’s In The Cybersecurity Act of 2015?

The Cybersecurity Act of 2015 became law on December 18, 2015. It’s the biggest piece of cybersecurity legislation passed by Congress in recent years. It authorizes and protects certain information-sharing for cybersecurity purposes.

The terms “company” and “companies” are used below for simplicity, but the law applies to all kinds of organizations.  As long as companies comply with the terms of the Cybersecurity Act of 2015, it trumps any other conflicting law. Here are its highlights:

Sharing. Companies may share “a cyber threat indicator” or “a defensive measure.” Companies may share with other companies or with the federal government. Before sharing cyber threat information, a company must either scrub unrelated personal information or put in place a technology to do such scrubbing. However, if the personal information is directly related to the threat, it need not be scrubbed. For example, for a Distributed Denial of Service attack against a company’s website, the company should be able to share the IP addresses that the attack came from.

Monitoring. A company may, for cybersecurity purposes, monitor its own information systems or monitor information that is handled by an information system that the company is permitted to monitor. If any other company or federal entity has authorized and given its written consent, a company may also monitor that other company/entity’s information system.

Defending. For cybersecurity purposes, a company may operate a “defensive measure” on its own information systems. Again like above, it may also do so on those of another company or federal entity if authorized and with written consent.

Voluntary. The law is voluntary. Companies have no obligation to share information or to use shared information.

Broad liability shield for sharing.  The law offers an extremely broad safeguard from liability for companies that voluntarily share information on cyberattacks and cyberthreats among themselves and with the federal government. As long as the company acts in compliance with the law, “no cause of action shall lie or be maintained in any court against any private entity” for this information sharing or monitoring. The company is protected from prosecution, from regulators, and from civil suits. Advocates of the law note that 62% of organizations feared liability for participating in a threat intelligence exchange program, according to a 2015 Ponemon Institute report. The liability shield should ease that concern.

For companies that choose not to share or act on such data, the law states that it creates no new duty to share a cyber threat indicator or defensive measure. It also creates no new duty to warn or act based on the receipt of a cyber threat indicator or defensive measure. The law also states that nothing in it “shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized” by the law.

Use by law enforcement. It allows the use of specific threat data by law enforcement without court approval when there is a known, particular threat.

Reporting portal. The law calls for the U.S. Department of Homeland Security to set up an information-sharing website portal. Companies will give information directly to DHS, which will share with other agencies. The portal is to be ready by March 17, 2016.

The new law is not universally supported, as some privacy advocates have criticized it for emphasizing surveillance over privacy.

 

 

This entry was posted in Cyber Security, Government Regulations.

Share this Article:

Leave a Reply

View Reply Form

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>