As we reported on October 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754).  If enacted into law, CISA would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government and private entities.  CISA must now be reconciled with two similar bills that the House passed in April before it can be sent to the President and enacted into law.  According to CISA’s co-sponsor Sen. Richard Burr (R-NC), a conference version of CISA will not be available for review until January 2016, at the earliest.  Below is a deeper explanation of CISA’s four Titles and how they purport to improve cybersecurity.

Title I:  Cybersecurity Information Sharing Act of 2015

Title I establishes the core cybersecurity information sharing framework to include, among other issues, what information can be shared by the government and private entities, liability protections for entities that share, and government oversight of the programs the Act establishes.  Outlined below are key sections of CISA.

Section 103 outlines how the federal government can share certain cybersecurity information with other entities—both private and public.  Specifically, this section establishes that within 60 days of enactment, the Director of National Intelligence, the Secretaries of Homeland Security and Defense, and the Attorney General, in consultation with other heads of federal entities, “shall develop and promulgate procedures to facilitate and promote” sharing of the following:

  • classified cyber threat indicators to appropriately cleared individuals (which would include individuals in the private sector who possess such clearances), and cyber threat indicators or other related information that are unclassified (including declassified or controlled unclassified information);
  • information about cybersecurity threats to “prevent or mitigate adverse effects from such cybersecurity threats;” and
  • “best practices that are developed based on ongoing analysis of cyber threat indications and information in possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns….”

The section also establishes the following requirements, limitations, and civil-liberty protections that must be considered in the development of the information-sharing procedures:

  • the government must maintain “the capability to share cyber threat indicators in real time consistent with the protection of classified information;”
  • the procedures must attempt to incorporate “existing processes and existing roles and responsibilities of Federal and non-Federal entities for information sharing by the Federal government[,]” which includes information sharing and analysis centers (“ISACs”);
  • the government must notify entities if certain cyber threat indicators are shared with an entity “in error or in contravention of the requirements of this title or another provision of Federal law or policy…;”
  • federal entities that share information must have security controls in place to protect against unauthorized access to the information;
  • the procedures must include a process that requires, before sharing information, the government to: (i) review information to assesses whether it “contains any information that [the government] knows at the time of sharing to be personal information in information that identifies a specific person not related to a cybersecurity threat and remove such information;” or (ii) develop and use an automated process to remove personal information from the data “that identifies a specific person not directly related to a cybersecurity threat”; and
  • the government must notify “any United States person whose personal information is known or determined to have been shared” by the government in violation of the Act.

Section 104 generally authorizes procedures for “preventing, detecting, analyzing, and mitigating cybersecurity threats.”  The section specifically authorizes private entities to monitor or deploy “defensive measures” on their own systems for “cybersecurity purposes”—or, with written consent, a third-party’s system, including the federal government’s.  It also authorizes private entities to share cyber threat indicators or defensive measures with other private entities or the federal government.  Similar to the control required in Section 103, private entities must implement security controls for the information and remove information that the entity “knows at the time of sharing” to be personally identifiable.  Section 104 also provides disclosure prohibitions for State, tribal, and regulatory authorities—such properly shared information is exempt from laws requiring disclosure of information or records and is prohibited from being used directly by “any State, tribal, or local government to regulate, including an enforcement action….”

This section also exempts the exchange of cyber threat indicators, “or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat,” from “any provision of antitrust laws.”  Specifically, this exemption applies to information that is shared or assistance provided with “facilitating the prevention, investigation, or mitigation of a cybersecurity threat” or “communicating or disclosing a cyber threat indicator to help prevent, investigate, or mitigate the effect of a cybersecurity threat.”  However, under Section 108(e), the antitrust exemption does not apply to “price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.”

Section 105 outlines how private and public entities can share certain cybersecurity information with the federal government through the Department of Homeland Security.  Similar to the above sections, the Attorney General and Secretary of Homeland Security, in consultation with other heads of federal entities, must develop policies and procedures, subject to certain requirements, limitations, and civil-liberty protections.  The following are examples of the specifications:

  • the government must develop a real-time sharing (or as close to real-time sharing as possible) mechanism for both the private entities and intra-government sharing;
  • information shared with the Department of Homeland Security will automatically forward to “appropriate Federal entities,” defined as the Departments of Commerce, Defense, Energy, Justice, and the Treasury, as well as the Office of the Director of National Intelligence;
  • the government must develop audit capabilities for “officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this title in an unauthorized manner;”
  • the government may only use the information in a manner that it be “disclosed to, retained by, and used by” the federal government for “a cybersecurity purpose,” with accompanying regulatory authority limited to “the prevention or mitigation of cybersecurity threats;”
  • information shared with the government is exempt from the Freedom of Information Act;
  • sharing of such information “shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection” and the information may be considered the “commercial, financial, and proprietary information” of a submitting entity, if so designated at time of submission; and
  • shared information “shall not be directly used by any Federal, State, tribal, or local government to regulate, including enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators” except if used to “inform the development or implementation of regulations relating to such information systems.”

Section 106 establishes liability protections for certain monitoring and information sharing activities.  Specifically, the section establishes that “[n]o cause of action shall lie or be maintained in any court against any private entity” for the monitoring and sharing of cyber threat indicators or defensive measures authorized by Section 104.  The protection is limited, however, in that it does not apply to “gross negligence or willful misconduct,” and does not “undermine or limit the availability of otherwise applicable common law or statutory defenses.”  In addition, the liability protections do not apply to “any action that solely involves violation of a consumer term of service or a consumer licensing agreement,” which are excluded from the definition of “cybersecurity threat.”

Section 108 makes clear that CISA’s information-sharing framework is explicitly voluntary.  The section outlines that the government cannot “require an entity to provide information” to the government or another third party and no liability exists “for choosing not to engage in the voluntary activities authorized in this title.”

Titles II-IV

Title II (“Federal Cybersecurity Enhancement Act of 2015”) establishes new cybersecurity-related requirements for the federal government or amends existing laws focused on cybersecurity, including improving federal network security, advancing internal defenses, and establishing specific reporting requirements.

Title III (“Federal Cybersecurity Workforce Assessment Act of 2015”) establishes new cybersecurity-related requirements for assessing the cyber-readiness of the federal workforce, including identifying certain cyber-related roles as being critical, requiring each federal agency to develop a process to account for its cybersecurity manpower needs, and require certain Government Accountability Office reports.

Title IV (“Other Cyber Matters”) contains an assortment of cybersecurity-related provisions.  A number of these provisions impose requirements on the federal government relating to cybersecurity to include the following:  authorizations for a government study on mobile device security, development of an international cyberspace policy strategy at the Department of State, coordination by the Department of State with other countries for the apprehension and prosecution of international cyber criminals, and reports to Congress on the state of federal computer security.  The remaining provisions directly involve or affect the private sector to include the following:  the development of voluntary cybersecurity best practices for emergency response providers and the healthcare industry, the development of mitigation strategies for cybersecurity incidents that effect critical infrastructure, and an amendment to the access device fraud statute, 18 U.S.C. § 1029, to allow for the prosecution of foreign individuals for access device fraud even if none of their assets are within the jurisdiction of the United States.

Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and…

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)

In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.