The Silver Lining of Sharing Data on Cyber-Risks

After many months of debate, President Obama finally signed the Cyber-Security Information Sharing Act into law in December, doing so with the legislation buried within a massive “omnibus” spending bill. The big question businesses are now asking: In practical terms, is this good news or yet another cyber-security triggered headache?

In brief (and for an in-depth look at the legislation see Jaclyn Jaeger’s reporting here), the legislation creates a voluntary, real-time, data-sharing pipeline for cyber-risks between companies and the government. To facilitate and encourage voluntary information exchanges, the new protocol offers safe harbors intended to assuage fears of violating antitrust laws, regulatory enforcement actions, or legal liabilities.

Already there is some pushback. Companies like Apple, already at odds with the government over demands for a back door to bypass thus-far-uncrackable encryption standards, are raising expected privacy concerns and engendering political debate.

With the ink barely dry, there is already legislation to repeal the Cyber-Security Act, authored by Rep. Justin Amash (R-Mich.). He objects to what he sees as the “worst anti-privacy law since the Patriot Act,”—an expansion of the government’s ability to conduct online eavesdropping.

“The Cyber-Security Act facilitates unconstitutional, warrantless surveillance on law-abiding Americans,” he said in a Jan. 15 statement. “The law grants immunity from liability to companies that share employees’ or users’ private information with the government or other companies, as long as they do so under the guise of cyber-security. It places no limits on the type of information that can be shared, which could include individuals’ personal online communications, and it allows the government to use the information it receives for purposes unrelated to cyber-security, including the investigation and prosecution of unrelated crimes.”

Setting aside the privacy debate that will continue to unfold, companies may nevertheless find no shortage of utility from data sharing,” says Scott Vernick, a partner at law firm Fox Rothschild who specializes in technology and data security.

While there is a segment that is unhappy with this because they don’t think there are enough safeguards attached and another segment that doesn’t think it goes far enough, Vernick says, there are items that businesses will likely applaud.

“Assuming that you produce the information and turn it over in accordance with the statute, you do have safe harbor and protection from civil liability,” he says. That’s a good thing, but it is incumbent upon business to make sure they document what they are turning it over in accordance with CISA’s provisions.

“People are glad that some legislation for information sharing with liability protection has finally been passed because it has been kicking around for so long.”
Patrick Philbin, Partner, Kirkland & Ellis

Also good news, from a business perspective, is that there is no “good faith” requirement. “There could have been some sort of challenge that somebody acted in bad faith even if, technically, the acted properly,” Vernick says. “A good faith standard isn’t in there, so you don’t have that messy analysis to worry about. It is just an objective compliance standard or compliance test.”

A sigh of relief may also be warranted because the legislation shields companies from civil, regulatory, and anti-trust liability. “That’s good,” Vernick says, “but there is no express protection from gross negligence or willful misconduct. That’s something that businesses will have to be mindful of.”

Turning over the information doesn’t waive any other privilege or protection afforded by law. Vernick finds particular benefit in provided exemptions from Freedom of Information Act document requests. “People can’t figure out or track what you are doing,” he says. The exemption also prevents the plaintiffs bar “from trolling and looking at what companies are doing, tying to find a gotcha moment.”

“You don’t have to worry so much about the plaintiffs bar looking to see whether, for example, there has been a technical violation of the securities laws, or a technical violation of a privacy policy, or something else they could learn by watching what a company is sharing or not sharing with the government.” Vernick adds. That should minimize the threat of both class-action lawsuits and the reputation risk that comes with potentially inflammatory media coverage.

In addition to making sure that a company is turning over information in a way that is consistent with the law, executives must be on guard not to turn over anything that is unrelated to the threat data. The bright side, Vernick says, “is that as long as you don’t have personal knowledge of turning over something unrelated to the data you are probably going to be OK.”

PATHWAY TO SHARING CYBER-SECURITY DATA

The following is an excerpt from a report by the Senate’s Select Committee on Intelligence that summarizes the Cyber-Security Information Sharing Act of 2015.
This legislation creates a completely voluntary information-sharing framework that includes several layers of privacy protections to prevent abuse and ensure that the government cannot inappropriately acquire or use sensitive information other than for limited cyber-security and public safety purposes.
In addition to concerns about legal authorities, the specter of litigation for monitoring a company's own networks or sharing cyber threat indicators or defensive measures for cyber-security purposes has disincentivized private sector cyber-security efforts. Entities appropriately monitoring their systems for cyber-security threats and sharing information necessary to protect against those threats should not be exposed to costly legal uncertainty for doing so.
Moreover, it is these same companies who are the victims of malicious cyber activity, and their appropriate efforts to protect themselves and other future victims from cyber threats should not only be authorized but protected from unnecessary litigation. This legislation creates narrowly tailored liability protection to incentivize companies' efforts to identify cyber-security threats and share information about them. However, this liability protection does not extend to defensive measures, nor does it protect unauthorized monitoring or sharing, including gross negligence or willful misconduct, that risks sensitive data rather than safeguarding it.
Source: Senate’s Select Committee on Intelligence

Other concerns may need to be addressed once the process is in action. The Department of Homeland Security is the central point for collecting the submitted information, through its National Cyber-Security and Communications Integration Center. It is responsible for establishing an automated system to forward the information to other federal agencies in, ideally, real time. “That has some people nervous because it puts a lot of sensitive information in the hands of government to use for a lots of different reasons and they didn’t have to get it with a subpoena or warrant,” Vernick says. How data is shared, when, and with whom, will be addressed. But nothing in the plan bypasses liability protections when communicating with regulators. Most important, the program is voluntary, with no affirmative obligation to participate.

The liability protections are among the more important aspects of the legislation, says Patrick Philbin, a partner with law firm Kirkland & Ellis who, while serving the Department of Justice, garnered extensive experience with the Electronic Communications Privacy Act and the Stored Communications Act. 

“It’s a strong liability protection provision. It even eliminated a provision in one of the prior bills that would have removed liability protection for gross negligence or recklessness,” Philbin says. “From the perspective of a business that wants to be protected and comfortable with sharing information, that was a very favorable result.”

The focus on continuous threat monitoring is also important to consider. Solutions for cyber-security are probably moving towards a real time monitoring environment, and this statute seems to facilitate that approach. “Some commentators have noted that the broad language in the statute potentially means that a business can monitor its entire network, and authorize others to monitor it, without having to get permission from employees,” Philbin says. Real protection when it comes to cyber-security isn’t just reporting a threat and waiting for DHS to push it out to others, “so that by the time the information gets around you are closing the barn door after the horse is already gone.” 

“It’s always the case with any new government program that there is going to be some working out of the kinks when you get down to the nitty-gritty,” Philbin says. “But I don’t see this plan as particularly problematic or having a whole lot of unresolved questions that somebody has to figure out before things can work. I wouldn’t rank it up there as one of those government efforts that really sounds good on paper, but is doomed to failure because it’s only a vague sketch when what you need is a blueprint.”

“People are glad that some legislation for information sharing with liability protection has finally been passed because it has been kicking around for so long,” he adds.

As for the future, Philbin expects continued scrutiny of director responsibilities regarding cyber-security and how they handle it. Public companies will also want to pay close attention to the Securities and Exchange Commission and its efforts. “It keeps marching forward with new enforcement programs and examinations for broker-dealers and registered investment advisers, looking to them to tighten-up cyber-security standards,” he says.