April 23, 2024
Volume XIV, Number 114
Home
Legal Analysis. Expertly Written. Quickly Found.
Login

Trending News

Congress Passes the Cybersecurity Act of 2015
Sunday, December 20, 2015
cybersecurity, computer, laptop, lock, chain, security, data protection, malware, spyware
Print Mail Download i

The Cybersecurity Act of 2015 (the “Act”) was passed by Congress today as part of the 2016 omnibus spending package.  The Act is very similar to the Cybersecurity Information Sharing Act (“CISA,” S. 754), which passed the Senate on October 27 and was the subject of our previous analysis, although there are some important differences which we highlight below.  If enacted into law by the President as part of the spending package, the Act would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government, state governments, and private entities.

Title I of the Act, “Cybersecurity Information Sharing,” establishes the core cybersecurity information sharing framework: a voluntary framework for real-time information sharing of “cyber threat indicators” and “defensive measures” between “non-federal entities” (defined to include State, tribal, or local governments) and “federal entities.”  As in CISA, the Act provides liability protections and an antitrust exemption, such that “no cause of action shall lie or be maintained in any court against any private entity” for the monitoring, sharing, or receipt of cyber threat indicators or defensive measures in accordance with the Act.  Prior to sharing information pursuant to the Act by Federal or non-Federal entities, Title I requires the removal of “personal information of a specific individual or information that identifies a specific individual” that is “not directly related to a cybersecurity threat.”  Notable differences between Title I of the Act and Title I of CISA include:

  • The prohibitions in Sections 104 and 105 on federal, state, tribal, and local government regulation (including enforcement actions) of the lawful activity of private entities relating to “monitoring, operating a defensive measure, or sharing of a cyber threat indicator” has been expanded to include “any activity taken by a non-Federal entity pursuant to mandatory standards.”

  • Although the Department of Homeland Security (“DHS”) remains responsible for developing and implementing the “capability and process” for information sharing under the Act, a new provision in Section 105 allows the President to designate another federal entity (not including the Department of Defense) to do so with 30-day notice to Congress explaining why the additional federal entity is necessary and appropriate.

  • The liability protections in Section 106 have been expanded as compared to CISA, because there is no longer an exclusion for “gross negligence or willful misconduct.”

  • Section 106 has also been expanded to state that Title I may not be construed to create “a duty to share” or a “duty to warn or act based on the receipt of” a cyber threat indicator or defensive measure.

  • A new subsection of Section 108 (“Construction and Preemption”) provides that Title I shall not be construed “to prevent the disclosure of a cyber threat indicator or defensive measure shared under this title in a case of criminal prosecution, when an applicable provision of Federal, State, tribal, or local law requires disclosure in such case.”

  • The 10-year sunset provision is now in new Section 111 (“Effective Period”) such that it now only applies to Title I of the Act, as opposed to all of CISA, though there is a separate 7-year sunset provision for the reporting requirements in Title II.

Title II of the Act, “National Cybersecurity Advancement,” includes a new Subtitle A entitled “National Cybersecurity and Communications Integration Center” (the “Center”).  This subtitle amends the Homeland Security Act of 2002, 6 U.S.C. § 141 et seq., to add several provisions designating the Center, which is within DHS, as the federal entity responsible for implementing the sharing of information authorized by Title I.  The Center’s functions are expanded by the Act to include, among other things, “sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities,” engaging with international partners to collaborate on cybersecurity information sharing and “enhance the security and resilience of global cybersecurity,” designating an agency contact for non-Federal entities, and entering into “voluntary information sharing relationships” with non-Federal entities.  Under Section 210, Subtitle A explicitly does not grant DHS “any authority to promulgate regulations or set standards relating to the cybersecurity of non-Federal entities.”

Subtitle B of Title II, “Federal Cybersecurity Enhancement,” is very similar to the corresponding provision of CISA, establishing new cybersecurity-related requirements for the federal government or amends existing laws to improve federal network security, advance internal defenses, and establish specific reporting requirements on government agencies.  There are a few notable differences, however, from CISA, as follows:

  • Private entities participating in the new “Federal Intrusion Detection and Prevention System” under Section 223 may no longer disclose network traffic transiting or traveling to or from an agency information system to an entity “other than” DHS, whereas in CISA they could further disclose it with the government’s consent.

  • DHS must now also “consult[] with Federal contractors as appropriate” on procedures for issuing emergency directives in response to information security threats under Section 229.

There were no substantive changes to Title III (“Federal Cybersecurity Workforce Assessment”), which requires the government to assess the state of federal government cybersecurity workforce needs.  Finally, Title IV of the Act (“Other Cyber Matters”), which contains several cybersecurity-related provisions, remains largely unchanged from Title IV of CISA.  Title IV’s provisions include requiring government studies and development of voluntary best practices for cybersecurity and an amendment to the access device fraud statute, 18 U.S.C. § 1029, to allow for the prosecution of foreign individuals for access device fraud even if none of their assets are within the jurisdiction of the United States.  The only important difference in Title IV is the removal of CISA’s Section 407 (“Strategy to Protect Critical Infrastructure at Greatest Risk”), which was strongly opposed by financial services groups on the ground that it would lead to increased regulation of private industry.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins

 

Logo-white

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC