In November 2015, I wrote about a symposium conducted by the FBI and Secret Service to partner with the private sector on shared cybersecurity concerns. One of the open issues from that symposium concerned potential liability for firms that shared cybersecurity information with law enforcement. Those issues were supposed to be addressed in the Cybersecurity Act of 2015, which the President signed into law December 18, 2015.
Were they? The Act includes provisions that deal with some of the concerns from firms that share information with law enforcement and with one another. The statute provides the following:
- For private entities that share information with the federal government in accordance with the Act, the law provides that there is no legal cause of action against those entities.
- Cyber threat indicators and defensive measures that private entities share with federal government or with a state, tribal or local government under the Act may not be used to regulate those entities, including enforcement actions.
- Private entities do not waive privilege when they share information with the federal government.
- Private entities can declare shared information to be proprietary and confidential.
- Sharing of cyber threat information among private entities will not violate antitrust laws.
The government can only use business-supplied information for a “cybersecurity purpose.” That is, the information can only be used to protect “an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security threat or security vulnerability.” Nor can the government release that shared information to the public, including through freedom of information requests made to federal, state, and local government.
Is the Act significant? Some commentators have yawned. One called the law’s focus “fairly modest,” and stated that “companies are not especially concerned about potential liability arising from such sharing.” Forbes wrote that the bill “will likely be ineffective in the prevention of cybercrime[, and has been]…criticized for the litany of privacy issues it could potentially introduce. At its best, the bill…[is] a step in the right direction in the fight against cybercriminals.” And while some contend that many companies are already sharing cybersecurity information, other tech companies (such as Apple and Twitter) have stated they would not participate in the sharing program.
But others have pointed to the Act’s protections to businesses that choose voluntarily to share information. Those include:
- An expansive safe harbor from liability, with protections for private entities from civil, regulatory, and antitrust liability.
- No requirement that firms act after they receive shared cybersecurity information. Though not acting creates its own problems: the law does not shield those firms from liability. “An entity that receives information about a cybersecurity threat to its networks may remain subject to claims premised on common law causes of action such as negligence if it fails to respond diligently.”
- Authorizing private entities to use defensive cybersecurity measures on a firm’s information systems and those of other consenting entities. Note, though, that the Act doesn’t green-light measures that go on the attack against hackers, in order to “destroy, render unusable, provide unauthorized access to, or substantially harm thirdparty information systems.”
To benefit from the Act, firms are required to take certain steps, including removing personally identifiable information not directly related to a cybersecurity threat, from information provided to either the government or shared with another firm. And “[e]ntities that share information should keep clear records evidencing their compliance with [the Act] to ensure they can benefit from its liability protections.”
The new law may ultimately call for reduced expectations. That understood, the Act could result in a little more certainty for firms that share cybersecurity information with one another and with the federal government.
The information in this article is for general use, and may not be applicable in all situations. You should not act on it without specific legal advice based on your particular circumstances. The views expressed in this article should not be attributed to Jones Morrison LLP, its attorneys, or its clients.
 Cybersecurity Act of 2015 §106(a)-(b) (“[n]o cause of action shall lie…against any private entity, and such action shall be promptly dismissed, for the monitoring of an information system….[and] for the sharing or receipt of a cyber threat indicator or defensive measure….”) (Act)
 Sullivan & Cromwell discusses The Cybersecurity Act of 2015, CLS Blue Sky Blog, (Jan. 6, 2016) 4/7, http://clsbluesky.law.columbia.edu/2016/01/06/sullivan-cromwell-discusses-the-cybersecurity-act-of-2015/ (Blue Sky Blog)
 Act, §105(d)(1) (“shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.”)
 Act,, §105(d)(2) (cyber threat or defensive measure…shall be considered the commercial, financial, and proprietary information of such…entity when so designated by the…entity….”)
 Act,, §104(e)(1) (“it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes….”)
 Act,, §102(4). An “information system” is “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” Id., §102(9)(A) (incorporating by reference, 44 U.S.C. §3502(8)).
 Act,, §105(d)(3)(B) (“cyber threat or defensive measure…shall be…withheld, without discretion, from the public under section 552(b)(3)(B)…and any State, tribal, or local provision…requiring disclosure of information or records….”)
 Cadwalader, President Obama Signs Cybersecurity Act of 2015 to Encourage Cybersecurity Information Sharing, (Dec. 24, 2015), http://www.cadwalader.com/resources/clients-friends-memos/president-obama-signs-cybersecurity-act-of-2015-to-encourage-cybersecurity-information-sharing (Cadwalader).
 Forbes, The Problems Experts And Privacy Advocates Have With The Senate’s Cybersecurity Bill, 1/6, http://www.forbes.com/sites/abigailtracy/2015/10/29/the-problems-experts-and-privacy-advocates-have-with-the-senates-cybersecurity-bill/print/
 Forbes, 3/6
 Corey Bennett, Major Tech Group Comes Out Against Cyber Bill, The Hill (Oct. 15, 2015, 12:34 PM), http://thehill.com/policy/cybersecurity/257029-major-tech-group-opposes-cyber-bill (cited in Cadwalader)
 Blue Sky Blog, 2/7 (“Once triggered, CISA’s safe harbors from liability are broad. Private entities sharing information are generally shielded from civil, regulatory, and antitrust liability based on their sharing.”)
 Blue Sky Blog, 2/7.
 Blue Sky Blog, 2/7.
 Cybersecurity Act, §104(d)(2) (“A non-Federal entity sharing a cyber threat indicator… shall, prior to such sharing…review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that …identifies a specific individual and remove such information; or…implement and utilize a technical capability configured to remove any [such personally identifiable] information….”)
 Blue Sky Blog, 2/7.