U.S. Senate Passes Cybersecurity Information Sharing Act

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Rajesh De, Howard W. Waltzman, Stephen Lilley and Matthew A. Waring

Raj De is a partner in Mayer Brown's Washington DC office and leads the firm's global Cybersecurity & Data Privacy practice. Previously, he was General Counsel at the United States National Security Agency (NSA). He can be reached at rde@mayerbrown.com.

Howard Waltzman is a partner in Mayer Brown’s Cybersecurity & Data Privacy practice. Based in Washington, DC, he focuses his practice on communications and Internet law and privacy compliance. He can be reached at hwaltzman@mayerbrown.com.

Stephen Lilley is a senior associate in Mayer Brown's Cybersecurity & Data Privacy practice. Based in Washington, DC, he focuses his practice on complex and interrelated litigation, regulatory, and policy issues. He can be reached at slilley@mayerbrown.com.

Matt Waring is a litigation associate in Mayer Brown’s Washington, DC office. He focuses his practice on representing clients in state and federal appellate courts and on providing analysis, guidance, and advocacy on federal regulatory issues. He can be reached at mwaring@mayerbrown.com.

A broad consensus has emerged in the last few years regarding the need to enhance sharing of cybersecurity threat information within the private sector and between the private sector and the government, subject to appropriate privacy safeguards. On Tuesday, October 27, the US Senate passed significant legislation on that topic—the Cybersecurity Information Sharing Act (CISA, S.754)—by a vote of 74-21.

CISA seeks to encourage private-sector companies to share information about cybersecurity threats with other private entities and with the federal government, voluntarily, and to take defensive measures against such threats.

Tuesday's vote represents the first time that the Senate—after three-and-a-half years of trying—has passed cybersecurity information-sharing legislation. Key stakeholders in the House and Senate now expect the bill to go to conference with similar House legislation, and the prospects of information-sharing legislation becoming law this Congress appear to be strong. Companies engaged in, or contemplating, cybersecurity information sharing should continue to monitor this important legislation as it moves toward enactment.

CISA authorizes private entities to monitor their information systems “for cybersecurity purposes,” to take defensive measures to protect such systems and to share information about cybersecurity threats and defensive measures with the federal government. It provides several incentives to private entities in order to encourage them to take these steps. Most notably, the bill would shield private entities against liability for actions taken, in accordance with the bill's requirements, in monitoring their systems for cybersecurity threats or in sharing cyber threat information. It also would protect private entities from antitrust liability for sharing information about cybersecurity threats with other private entities.

The legislation directs the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD) and the Department of Justice (DOJ) to lead the development of procedures to facilitate and promote the federal government's sharing of information about cybersecurity threats. It requires DHS to build a capability for accepting information about cybersecurity threats from private entities in the first instance and for sharing that information with other federal agencies in a timely manner.

In a key concession to address privacy concerns, a private-sector entity must share information with DHS if it wishes to receive the liability protections CISA provides. The bill would also protect cyber threat indicators and defensive measures provided to the government from disclosure under FOIA.

The Senate debate largely focused on the bill's protections of personal privacy. For example, the bill would require private entities to take certain steps to remove individuals' personal information from information that they share with the government and within the private sector. In addition, the bill would direct DOJ to promulgate privacy guidelines that would apply to information sharing with the government (requiring the destruction of individuals' personal information that is unrelated to cybersecurity threats, e.g.). The bill also would require the Privacy and Civil Liberties Oversight Board to provide biennial reports describing the effect of the Act on privacy and civil liberties, and the sufficiency of the privacy guidelines established by DOJ.

CISA also includes a range of provisions that are unrelated to cybersecurity information sharing. These include titles intended to enhance federal cybersecurity, especially in the wake of the Office of Personnel Management's data breach, and to assess the federal cybersecurity workforce. CISA would also require the creation of a new voluntary cybersecurity framework for healthcare cybersecurity; require a study on the cybersecurity of mobile devices used by the federal government; and require the development of mitigation strategies for “critical infrastructure at greatest risk” from a cyber incident.

The House and Senate are expected to go to conference to reconcile CISA with two similar bills passed by the House earlier this year: The Protecting Cyber Networks Act (H.R.1560), and The National Cybersecurity Protection Advancement Act (H.R. 1731). Key issues in the conference negotiations are likely to include which agency will operate the portal for information sharing by private entities and the steps private entities must take to remove individuals' personal data from the information they share with other private entities and with the government.

President Obama has taken executive action to expand cybersecurity information sharing and has pressed for information-sharing legislation. For example, in the recent Statement of Administration Policy regarding CISA, the administration reiterated that “[a]n important building block for improving the Nation's cybersecurity is ensuring that private entities can collaborate to share timely cyber threat information with each other and the Federal Government.” There is every reason to expect the administration to remain engaged on this issue and to anticipate that President Obama would sign any legislation that emerges from a conference and passes both houses of Congress.