The Cybersecurity Act of 2015, signed into law on Dec. 18, has four titles that address longstanding concerns about cybersecurity in the United States, such as cybersecurity workforce shortages, infrastructure security, and gaps in business knowledge related to cybersecurity. This post distills the risks and highlights the benefits for private entities that may seek to take advantage of Title I of the Cybersecurity Act of 2015 – the Cybersecurity Information Sharing Act of 2015 (“CISA”).

It’s been clear for many years that greater information-sharing between companies and with the government would help fight cyber threats. The barriers to such sharing have been (1) liability exposure for companies that collect and share such information, which can include personally identifiable information, and (2) institutional and educational impediments to analyzing and sharing information effectively.

CISA is designed to remove both of these information-sharing barriers. First, CISA provides immunity to companies that share “cyber threat indicators and defensive measures” with the federal government in a CISA-authorized manner. Second, CISA authorizes, for a “cybersecurity purpose,” both use and sharing of defensive measures and monitoring of information systems. CISA also mandates that federal agencies establish privacy protections for shared information and publish procedures and guidelines to help companies identify and share cyber threat information. Notably, companies are not required to share information in order to receive information on “threat indicators and defensive measures,” nor are entities required to act upon information received – but this won’t shield companies from ordinary ‘failure to act’ negligence claims.

A new age for monitoring?

For decades, private entities have conducted security monitoring of their computer systems, of computer usage of employees, and of customer communications, as limited by law. For example, it is generally lawful for companies, in the ordinary course of business, to intercept, disclose, or use communications in order to render services or protect their property – the provider exception under 18 U.S.C. § 2511(2)(a)(i). Companies generally may also assist law enforcement in monitoring communications of hackers, under investigation, on the company’s network – the trespasser exception under 18 U.S.C. § 2511(2)(h)(i). Otherwise, however, entities typically engage in monitoring via consent, such as through employee policies, terms of use, and privacy policies. Many companies monitor internet usage, track employees’ locations via GPS, and log physical and digital access records. Commonly understood benefits for a cyber monitoring and surveillance program include limiting vicarious liability, managing employee performance, protecting intellectual property, deterring theft and violence, and ensuring system security.

Prior to CISA, federal and state laws restrained the level of permissible cyber monitoring and surveillance, such as through the limited provider and trespasser exceptions. But now, under CISA, companies may perform monitoring of computer systems “notwithstanding any other law,” as long as done for “cybersecurity purposes,” which CISA defines as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” But what does that mean? Guidance from executive branch agencies, required by CISA, will hopefully clarify the extent to which monitoring may be conducted by private entities, but the specific parameters of permissible monitoring may remain unclear until this issue lands in court.

Lingering risks?

The following laws, among others, restrict the monitoring and surveillance of employees and of information systems:

  • The Federal Wiretap Act
  • The Stored Communications Act
  • State wiretapping laws
  • Federal and state privacy & security laws
  • The National Labor Relations Act

Although CISA authorizes monitoring and information-sharing “notwithstanding any other law,” entities should carefully review any expanded monitoring program against the laws above. And despite offering broad civil and regulatory liability protection for private entities that engage in CISA-authorized cyber monitoring and information-sharing, CISA also provides that “nothing in this title shall be construed to amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any entities….” Thus, entities seeking to expand monitoring and information-sharing activities must be cognizant of any contractual obligations that may limit or preclude such activities.

Criticism and CISA’s future?

Although the U.S. Chamber of Commerce has embraced it, CISA has many critics, from both policy and technical perspectives. For example, U.S. Rep. Justin Amash (R-Mich.) recently introduced a bill to repeal CISA, proclaiming “It’s the worst anti-privacy law since the USA PATRIOT ACT, and we should repeal it as soon as possible.” From a technical perspective, CISA may provide a larger pool of threat indicators, but indicators are not signatures – much of what is likely to be shared may simply cloud the pool of useful indicators, obscuring valuable threat information without providing actionable information to further protect networks. And the breadth of monitoring activities CISA authorizes for private entities will no doubt be challenged in the courts.

Yet despite the criticism, CISA is now federal law, enacted after nearly a decade of unsuccessful attempts by Congress to pass cybersecurity information-sharing legislation. Companies should be alert for upcoming developments that will hopefully clarify what was left open-ended by Congress – within the next few months various federal agencies, including the Department of Homeland Security, the Department of Justice, and others, will issue implementing guidelines, procedures, and regulations for CISA.