Passing cybersecurity information-sharing legislation has been a top policy priority of ASIS for years. Recent cyber incidents have underscored the need for legislation to help businesses improve their awareness of cyber threats and to enhance their protection and response capabilities in collaboration with government entities. Cyberattacks aimed at U.S. businesses and government have increasingly been launched by sophisticated hackers, organized crime, and state-sponsored groups, and ASIS has been committed to working with lawmakers and their staff to get cybersecurity information-sharing legislation quickly enacted.
On December 15, 2015, the House and Senate passed an omnibus appropriations package that includes legislation to provide liability protection and certain confidentiality protections to companies that voluntarily engage in cyber threat information sharing with one another or with the federal government. The legislation is designed to encourage greater and more timely sharing of cyber threat data by reducing the threat of litigation and regulation and while protecting private information. The new law combines parts of three different cybersecurity information sharing bills previously passed by either the House or Senate in 2015 with strong bipartisan support, and was signed into law by President Obama on December 18, 2015.
Key provisions include:
- Authorizing companies to monitor their information systems, to share and receive cyber threat and defense information, and to take defensive measures.
- Requiring all entities that participate in cyber threat sharing to protect the data they collect, maintain and share from unauthorized access and disclosure.
- Requiring the scrubbing of personally identifiable information before a threat indicator is shared.
- The Department of Homeland Security (DHS) provides the portal through which information will be shared with the federal government. DHS has responsibilities to maintain privacy and civil liberties protections, and to provide an automated sharing process.
- Companies that share or receive information are not liable for failing to warn or act based on receiving or providing such information.
- Threat information shared with the federal government will not be used to regulate lawful activities, nor does it waive any privilege or protection, and is exempt from certain disclosure laws.
- The Department of Justice (DOJ) and DHS will jointly develop interim policies for sharing of information with the federal government and private entities within 60 days, and full policies within 180 days of enactment. Within 60 days of enactment, DOJ and DHS are also required to develop guidelines for private entities sharing information with the federal government.
- Most provisions sunset after 10 years.