Written by Keenan W. Ng
With Congress coming back from its summer recess, it will be focusing on a few cybersecurity related bills. One of the most controversial of these bills is the Cybersecurity Information Sharing Act of 2014 (“the Act”), introduced by Senator Dianne Feinstein (D-CA) and Senator Saxby Chambliss (R-GA) for the fourth consecutive year. The Act is supposed to “improve cybersecurity in the United Sates through enhanced sharing of information about cybersecurity threats, and for other purposes.” While some of the ideas and the language behind the Act seem reasonable and commonsense, the devil is in the details- or rather, the definitions in the Act- and could have some very interesting implications for individuals and businesses.
The Act allows for private companies and the Federal government to share information categorized as “cyber threat indicators” and “countermeasures” as they relate to cybersecurity threats and cybersecurity purposes. Private companies could also share such information with other private companies for the same purposes. The Act would also allow private companies to monitor their own “information systems,” as well as the information systems of other companies and Federal entities with written consent.
For companies sharing applicable information with other companies, the Act would provide an antitrust exemption if applicable information is shared for cybersecurity purposes as defined under the Act. Though to be sure, the Act does not protect any sharing of information that would permit price-fixing, monopolizing, or other conduct that would traditionally violate federal antitrust laws.
The Act also provides companies with protections from liability (1) if a firm monitors information and information systems as consistent with the Act; (2) if a firm shares or receives cyber threat indicators or countermeasures as consistent with the Act; and (3) if a firm believed in good faith that it was actions were permitted under the Act.
Not surprisingly, many civil liberties organizations such as the American Civil Liberties Union and the Electronic Frontier Foundation have expressed considerable concern with the Act. In particular, key terms such as “cyber threat indicators,” “countermeasures,” “cybersecurity purpose,” and “cybersecurity threat” are very broadly defined, thus encompassing a vast amount of information that private companies might “voluntarily” provide to Federal agencies.
Because of the liability protections provided by the Act, however, consumers and those whose information is shared with Federal agencies would have little to no recourse through the courts. For businesses, however, the Act provides some breathing room – from a legal standpoint – with regard to sharing information. Whether this elicits a consumer response is an entirely different matter.