Key CISA Provisions Impacting Private Entities
On December 18, 2015, President Obama signed the Cybersecurity Information Sharing Act (“CISA”), which was the culmination of intense negotiations that reconciled three separate cybersecurity bills passed by the U.S. Senate and House of Representatives last year. Of the four titles in CISA, Title I is the most impactful for private entities because it establishes mechanisms by which non-federal entities can share cybersecurity information with each other and with federal departments and agencies. Key provisions of Title I of CISA are outlined below.
CISA is strictly voluntary and does not impose a duty to share information on private entities. Indeed, it expressly prohibits the federal government from tactics intended to coerce parties into sharing cybersecurity threat information. For entities that do participate, CISA provides safe harbors from liability. To trigger the safe harbor protection under the CISA, the entity must share the information in accordance with CISA’s provisions.
An entity that shares information under CISA must also scrub the information beforehand to remove all known personal or personally identifiable information that is unrelated to the cybersecurity threat. While CISA does not define personal information, the Department of Homeland Security (“DHS”) is expected to release guidance on this point, and it is anticipated that the standards for personal information could follow DHS’s Privacy Impact Assessment 029. That Assessment describes how DHS and a reporting entity can and should treat personally identifiable information associated with a cyber threat indicator that is shared as part of DHS’s Automated Indicator Sharing initiative; created to enable timely exchange of cyber threat indicators among the private sector and government departments and agencies.
In addition, an entity that takes advantage of CISA is authorized to use defensive measures in the face of a cybersecurity threat. On the other hand, CISA prohibits entities from harming third party’s systems, i.e., hacking back.
Once CISA’s safe harbors are triggered, the entity is protected from civil, regulatory and antitrust liability based on the act of sharing—sending or receiving—the cybersecurity threat information. Further, under CISA, the act of sharing the information does not waive privilege or other protections, such as trade secrets, and is not subject to the sharing requirements of the Freedom of Information Act (“FOIA”). The entity can protect and maintain ownership of any commercial, financial, or proprietary information that it shares by designating it as such when the information is shared.
Importantly, CISA’s safe harbor does not shield entities from potential liability for failing to act in the event of a cybersecurity threat. Thus, an entity that receives information about a cybersecurity threat through the program, but fails to act, could still be liable under common law causes of action such as negligence. Further, no provisions prohibit a private individual or government entity from using an entity’s non-participation in CISA in a future lawsuit. Nevertheless, CISA does not affirmatively create a duty to warn or act based on cybersecurity threat information.
CISA effectively centralizes information sharing with the Department of Homeland Security, which has 90 days from the signing of CISA to implement the capability and process for sharing cybersecurity threat information. In addition, under the terms of CISA, non-federal entities that are subject to federal regulation can continue to communicate cybersecurity threats directly to their respective federal regulatory authorities, not DHS, and still gain the protection of CISA’s safe harbors.
Looking ahead, participation in the cybersecurity threat information program by private entities requires a thoughtful balancing of the protections and limitations afforded under CISA. These entities should consult with counsel before participating.
Reporter, Julie A. Stockton, Palo Alto, +1 650 422-6818, [email protected]