Congress Enacts Cyber-Threat Information-Sharing Law

    Jan 13, 2016

    After years of debate, Congress passed legislation (S. 754) that provides liability protection to companies that voluntarily disclose cyber-threat information to the government and industry partners. The legislation was included in a massive spending bill (H.R. 2029) passed by Congress and signed into law by President Obama on December 18, which funds government agencies and programs for the remainder of fiscal year 2016.

    Known as the Cybersecurity Information Sharing Act of 2015, the legislation responds to growing cybersecurity threats to the U.S. economy and its consumers, businesses, and the government. It requires the federal government to share more information, including classified information under appropriate safeguards, with relevant private sector entities to further cybersecurity efforts. The legislation includes legal authorities for private companies to monitor their networks for cybersecurity purposes, take defensive measures to stop cyber attacks, and share cyber threat information with each other and with the government.

    “In addition to concerns about legal authorities, the specter of litigation for monitoring a company’s own networks or sharing cyber threat indicators or defensive measures for cybersecurity purposes has disincentivized private sector cybersecurity efforts,” noted the Senate Intelligence Committee in a report filed on the legislation. “Entities appropriately monitoring their systems for cybersecurity threats and sharing information necessary to protect against those threats should not be exposed to costly legal uncertainty for doing so.”

    Moreover, the report noted, “It is these same companies who are the victims of malicious cyber activity, and their appropriate efforts to protect themselves and other future victims from cyber threats should not only be authorized but protected from unnecessary litigation.”

    “It is difficult to overstate the threat posed by bad cyber actors to our security, our privacy and our economy,” said Rep. Adam Schiff (D-Calif.), the ranking Democratic member of the House Intelligence Committee. “After several years of effort, Congress has now produced a bipartisan cyber bill that allows the private sector and government to share information about malicious intrusions to protect Americans from further harm.”

    Prior to sharing cyber threat data, companies will be required to remove any extraneous personal information, and the Department of Homeland Security (DHS) would be required to perform a second scrubbing. The Justice Department and DHS are also required to jointly issue and make publicly available within six months final guidelines relating to privacy and civil liberties. Such guidelines would govern the receipt, retention, use, and dissemination of cyber threat data.

    Privacy advocates, however, were not satisfied with the legislation’s safeguards.

    “Information shared for cybersecurity reasons should be used for cybersecurity purposes, but this legislation does not impose this simple requirement,” stated Jadzia Butler, a privacy, surveillance, and security fellow with the Center for Democracy and Technology, in a blog post.  The legislation “permits information shared under the bill to be used for a myriad purposes completely unrelated to cybersecurity, including prosecuting espionage and trade secrets violations and other crimes.”

    “This makes the legislation seem as much a surveillance as a cybersecurity bill,” she added.

    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International