On December 15, 2015, the Fiscal Year 2016 Consolidated Appropriations Act (the “Appropriations Act”) was released for public review. In Division N of the Appropriations Act, language entitled the “Cybersecurity Act of 2015” (the “Act”) was included, which aims to provide the effective guidelines for information sharing between the private sector companies and the federal government.
According to the Joint Explanatory Statement that accompanied the Act, it is “designed to create a voluntary cybersecurity information sharing process that will encourage public and private sector entities to share cyber threat information, without legal barriers and the threat of unfounded litigation – while protecting private information”. The House and Senate will likely vote on the Appropriations Act this Friday, where it is widely expected to pass and be signed into law by the President.
What does this mean for you?
Although the Act mostly places responsibility on the federal government to develop the procedures that will govern cybersecurity information sharing, the Act also clarifies a few different legal points regarding information sharing per the Act: (1) Information may be deemed proprietary information from the entity of origin; (2) no privilege or protection is waived by sharing cybersecurity threat information with the federal government; and (3) such information may be exempt from certain disclosure laws.
The Act further clarifies that the federal government can use the cybersecurity information for a variety of purposes, such as identifying a cybersecurity threat or vulnerability, responding to a specific threat of serious economic harm, and responding to or investigating an offense arising out of certain cyber-related criminal activities.
Finally, the Act provides liability protection for the private entities that share, receive, or monitor such information as allowed under the Act. No duty is imposed on private entities under the Act, and no existing duty imposed by any other law is narrowed by the Act. The Act also directs certain federal entities (such as the Director of the NSA, Secretary of Homeland Security, Secretary of Defense, and Attorney General) to develop certain procedures that will require a federal entity to review and remove any personal information or to have the technical capability to remove personal information unrelated to the cybersecurity threat. The Act also requires notification for disclosure of personal information in violation of the Act.