Congress is constantly introducing new legislation to address the growing problem of cyber-attacks, most of which seems to have little likelihood of passage. But the recently enacted Cybersecurity Information Sharing Act (“CISA”) actually did pass — and is one of the more important (and sometimes heralded) cybersecurity regulatory initiatives (it passed in a crafty way of course, tucked away incognito as part of the December 2015 $1.15 trillion omnibus budget bill (Pub. L. No. 114-113) (starting at page 694).
CISA encourages information sharing regarding “cyber threat indicators” and “defense mechanisms” between and among private entities and the federal government. It provides a safe harbor from liability for private entities when transmitting such information or when monitoring for cyber threats, and is yet another critical regulatory consideration during the response of a cyber-attack. Among other things, CISA requires that the Department of Homeland Security (“DHS”) establish a portal for collection of threat information, and a system for dissemination of the information to private- and public-sector entities.
As an aside, in the narrow context of antitrust guidance, DOJ and the Federal Trade Commission had previously issued their own antitrust guidance to promote the sharing of cybersecurity information, but nothing near as monumental as CISA. (“Through this Statement, the Department of Justice’s Antitrust Division (the “Division”) and the Federal Trade Commission (the “Commission” or “FTC”) (collectively, the “Agencies”) explain their analytical framework for information sharing and make it clear that they do not believe that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing. Cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans. ”)
Some Thoughts on CISA. It is generally way too early to predict the impact of CISA and similarly challenging to provide meaningful general advice (because every data breach is different). But CISA is nonetheless an important piece of legislation, which will undoubtedly be the subject of discussion for every incident response team and warrants some initial analysis.
First, public companies making a disclosure under CISA should remain mindful of their SEC disclosure obligations concerning cyber-attacks. CISA disclosure could trigger SEC and the litany of other state, federal and international disclosures. The SEC in particular is becoming more and more aggressive when it comes to public companies and cybersecurity, so public companies and SEC- regulated entities such as investment advisers and broker-dealers should be especially careful with respect to the DHS Portal disclosures.
Second, the CISA safe harbor applies only to the acts of monitoring and sharing, not overall cybersecurity. Thus, companies should not only be careful of what they disclose to the DHS Portal (e.g. the companies need to strip away personal identifiable information from all DHS Portal disclosures) but also with respect to: 1) when and if they disclose to the DHS Portal; and 2) how they are managing their incident response.
Third, if the public company making the DHS Portal disclosure has any federal contracts, the disclosure could ultimately result in an intense and sophisticated cybersecurity audit by US-CERT, DHS’s Computer Emergency Readiness Team, a part of DHS’ National Cybersecurity and Communications Integration Center (NCCIC), which leads efforts to improve the cybersecurity posture of the U.S., coordinate cyber information sharing and proactively manage cyber risks especially at U.S. contractors.
Fourth, any company considering DHS disclosure should also carefully review recent DHS Guidelines about cybersecurity information sharing, which shed more light upon the process. The DHS guidance includes four draft documents:
- Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government;
- Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities;
- Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government; and
- Privacy and Civil Liberties Interim Guidelines.
Finally, a CISA disclosure may present some liability concerns. Although cyber threat information shared via the DHS Portal is considered proprietary information of the sharing entity, exempt from disclosure under the Freedom of Information Act, and generally prohibited from being used for regulatory purposes by Federal or State agencies, these protections have yet to be tested and raised some questions with a few data security experts. (“CISA’s protections also raise interpretive issues that bear further analysis, including the meaning of the protections against federal and state regulatory and enforcement action (including the reference to protection against enforcement actions for “lawful conduct”). As another example, CISA’s preservation of contracts provision would need to be analyzed in relation to the liability protection.”)
Moreover, DHS may opt to pass along DHS Portal submitted information to the FBI and NSA for further investigation and, potentially, legal action. According to one report, Senator Dianne Feinstein described the CISA communication lines as if a conveyor belt will carry information from DHS to FBI, stating something along the lines of: “Once cyber information enters the portal it will move at machine speed to other federal agencies.”
“Once cyber information enters the portal it will move at machine speed to other federal agencies.”
This, in turn, could trigger class actions and other kinds of litigation (such as litigation from a company customer, whose data was unlawfully shared with he government or a third party vendor who was impacted by the disclosed cyber-attack.)
Conclusion. The good-hearted intentions of CISA are clear (it is definitely a positive step for U.S. cybersecurity), and there is certainly a need for companies to embrace the open communication lines now offered by the federal government, pool resources and coordinate a defense. But privacy advocates and civil liberties groups see CISA as a free pass allowing companies to monitor users and share their information with the government without a warrant, while offering a backdoor circumventing any laws that might protect users’ privacy.
Under any circumstance, CISA’s DHS data breach information pipeline is all still relatively new legal territory, and before sending information to the DHS Portal, public company executives owe it to their shareholders to only make these DHS disclosures as part of a comprehensive incident response plan and to consult with outside counsel and discuss all of the potential ramifications of DHS Portal disclosure. There are some legitimate privacy and liability concerns with CISA.
Moreover, the DHS disclosure must be coordinated by an IT, compliance and legal team well-schooled on the art of producing data according to the CISA’s requirements. This includes sharing only information that satisfies the seemingly comprehensive definitions of “cyber threat indicator” and “defensive measures” (and absence of a definition of “personal information”) and complying with the requirements for striping away personal information from the disclosures, which appears to be the obligation of the disclosing company.
There is also the looming question of data that is outside of the United States, such as data residing in the European Union, which may be afforded far greater protections than U.S. laws allow. For instance, the EU arguably affords privacy protections to server logs, IP addresses and web cookies and, more importantly, cybersecurity threat information shared with international countries and other private sector entities are not given liability protection under CISA.
In addition to the protections of the technical parameters of the DHS portal itself, DHS asserts that CISA, “importantly provides two layers of privacy protections: companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information.” However, relying on the federal government to decide what is, and is not, private information is just one concern. Relying on the federal government to develop a technically successful automated process for removing what it considers to be private information is even more concerning.
Finally, the incentive angle of CISA is a also somewhat troubling. Yes, it is true that CISA creates no express requirements of DHS disclosure, and merely facilitates disclosures and adds certain purported protections. However, not every company will see it that way. Stepping back for a moment:
The treatment of cyber-attack victims is less about understanding and sympathy, and more about anger, vilification, suspicion and finger pointing. Sadly, the world of incident response is an upside-down one: rather than being treated like the victim of a crime perpetrated by others, companies experiencing a cyber-attack are often treated like the criminal, becoming defendants in federal and state enforcement actions, class actions and a litany of other costly and crippling proceedings.
As opposed to disasters like fires, floods and tornadoes, today’s companies who experience a cyber-attack should not expect any assistance or even compassion from the government. In fact, companies should expect quite the opposite for several reasons.
- First, the U.S. government is overwhelmed with protecting the nation’s own infrastructure and does not have a SWAT team or a rescue team standing-by to assist U.S. companies after a cyber-attack;
- Second, given the many differing state privacy statutory regimes and a growing range of federal agency jurisdiction (each wielding their own unique set of rules, regulations, statutes and enforcement tools), instead of a helping hand, cyber-attack victims should expect subpoenas, enforcement actions and an onslaught of litigation. For instance, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving PII; and
- Third, the public’s (and Congress’s) view of cyber-attack victims has sadly become not a view of understanding or empathy but rather a view of suspicion, skepticism and even vilification.
After a breach, many companies are often surprised (also dismayed and shocked) to learn how persistent and determined the federal and state investigators can become, despite being their being the victim of what is often akin to a terrorist attack. In my experience, companies experiencing a cyber attack will strive to do anything they can to curry favor and enable assistance from the federal government, including submitting information to the DHS Portal. Thus, stating that submitting intel to the DHS Portal is entirely voluntary strikes me as intellectually dishonest.
In the end, the more Pollyannaish outside counsel might vote for maximum cooperation, including submitting stripped down threat indicators to the DHS Portal and the other agencies to whom the DHS Portal will be automatically funneling that information. But those outside counsel perhaps adhering to the immortal Oscar Wilde notion that, “no good deed goes unpunished” might consider otherwise.