The Cybersecurity Act of 2015 (the “Act”) was passed by Congress today as part of the 2016 omnibus spending package. The Act is very similar to the Cybersecurity Information Sharing Act (“CISA,” S. 754), which passed the Senate on October 27 and was the subject of our previous analysis, although there are some important differences which we highlight below. If enacted into law by the President as part of the spending package, the Act would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government, state governments, and private entities.
Title I of the Act, “Cybersecurity Information Sharing,” establishes the core cybersecurity information sharing framework: a voluntary framework for real-time information sharing of “cyber threat indicators” and “defensive measures” between “non-federal entities” (defined to include State, tribal, or local governments) and “federal entities.” As in CISA, the Act provides liability protections and an antitrust exemption, such that “no cause of action shall lie or be maintained in any court against any private entity” for the monitoring, sharing, or receipt of cyber threat indicators or defensive measures in accordance with the Act. Prior to sharing information pursuant to the Act by Federal or non-Federal entities, Title I requires the removal of “personal information of a specific individual or information that identifies a specific individual” that is “not directly related to a cybersecurity threat.” Notable differences between Title I of the Act and Title I of CISA include:
- The prohibitions in Sections 104 and 105 on federal, state, tribal, and local government regulation (including enforcement actions) of the lawful activity of private entities relating to “monitoring, operating a defensive measure, or sharing of a cyber threat indicator” has been expanded to include “any activity taken by a non-Federal entity pursuant to mandatory standards.”
- Although the Department of Homeland Security (“DHS”) remains responsible for developing and implementing the “capability and process” for information sharing under the Act, a new provision in Section 105 allows the President to designate another federal entity (not including the Department of Defense) to do so with 30-day notice to Congress explaining why the additional federal entity is necessary and appropriate.
- The liability protections in Section 106 have been expanded as compared to CISA, because there is no longer an exclusion for “gross negligence or willful misconduct.”
- Section 106 has also been expanded to state that Title I may not be construed to create “a duty to share” or a “duty to warn or act based on the receipt of” a cyber threat indicator or defensive measure.
- A new subsection of Section 108 (“Construction and Preemption”) provides that Title I shall not be construed “to prevent the disclosure of a cyber threat indicator or defensive measure shared under this title in a case of criminal prosecution, when an applicable provision of Federal, State, tribal, or local law requires disclosure in such case.”
- The 10-year sunset provision is now in new Section 111 (“Effective Period”) such that it now only applies to Title I of the Act, as opposed to all of CISA, though there is a separate 7-year sunset provision for the reporting requirements in Title II.
Title II of the Act, “National Cybersecurity Advancement,” includes a new Subtitle A entitled “National Cybersecurity and Communications Integration Center” (the “Center”). This subtitle amends the Homeland Security Act of 2002, 6 U.S.C. § 141 et seq., to add several provisions designating the Center, which is within DHS, as the federal entity responsible for implementing the sharing of information authorized by Title I. The Center’s functions are expanded by the Act to include, among other things, “sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities,” engaging with international partners to collaborate on cybersecurity information sharing and “enhance the security and resilience of global cybersecurity,” designating an agency contact for non-Federal entities, and entering into “voluntary information sharing relationships” with non-Federal entities. Under Section 210, Subtitle A explicitly does not grant DHS “any authority to promulgate regulations or set standards relating to the cybersecurity of non-Federal entities.”
Subtitle B of Title II, “Federal Cybersecurity Enhancement,” is very similar to the corresponding provision of CISA, establishing new cybersecurity-related requirements for the federal government or amends existing laws to improve federal network security, advance internal defenses, and establish specific reporting requirements on government agencies. There are a few notable differences, however, from CISA, as follows:
- Private entities participating in the new “Federal Intrusion Detection and Prevention System” under Section 223 may no longer disclose network traffic transiting or traveling to or from an agency information system to an entity “other than” DHS, whereas in CISA they could further disclose it with the government’s consent.
- DHS must now also “consult with Federal contractors as appropriate” on procedures for issuing emergency directives in response to information security threats under Section 229.
There were no substantive changes to Title III (“Federal Cybersecurity Workforce Assessment”), which requires the government to assess the state of federal government cybersecurity workforce needs. Finally, Title IV of the Act (“Other Cyber Matters”), which contains several cybersecurity-related provisions, remains largely unchanged from Title IV of CISA. Title IV’s provisions include requiring government studies and development of voluntary best practices for cybersecurity and an amendment to the access device fraud statute, 18 U.S.C. § 1029, to allow for the prosecution of foreign individuals for access device fraud even if none of their assets are within the jurisdiction of the United States. The only important difference in Title IV is the removal of CISA’s Section 407 (“Strategy to Protect Critical Infrastructure at Greatest Risk”), which was strongly opposed by financial services groups on the ground that it would lead to increased regulation of private industry.