After seeking to pass broad private sector cybersecurity legislation for a number of years, Congress finally passed and the President signed into law the Cybersecurity Act of 2015 (Cybersecurity Act).
The Cybersecurity Act makes three key changes in current law. First, it provides explicit authorization for companies to share cyber threat information with each other and the government, as well as receive such information. Second, it authorizes private sector use of defensive measures, and third it provides a safe harbor from liability for sharing the cyber threat or defensive measure information in good faith in compliance with the safeguards required by the legislation.
Technology companies are impacted by having greater legal clarity for actions they may take to monitor and protect their and their clients’ information and information systems. Internet Service Providers and Cybersecurity Services Companies are the most likely to benefit from the clear authorization for information sharing that was addressed by way of exception to prohibitions in laws such as the 30-year old Electronic Communications Privacy Act. By providing an explicit authorization and protection from liability, Congress intends to foster such sharing, which experts believe should help companies address cyber risks in a timely fashion.
Likewise, authorization for use of defensive measures that protect one’s own as well as customers’ data can be important and allow companies to act more expeditiously than they would under current authorities “by exception.” There continues to be a great reluctance in government to deputize the private sector in protecting itself to such an extent that it can become “offensive.” Thus the bills do not provide liability protection for defensive measures.