[cabfpub] Cybersecurity Act of 2015
Ben Wilson
ben.wilson at digicert.com
Thu Jan 7 16:24:57 UTC 2016
Security Information Sharing Working Group:
Good news. On December 18, 2015, President Obama signed into law the Cybersecurity Act of 2015. Sections 104, 105 and 106 of the Act are the ones most relevant to our work. They are titled as follows:
Sec. 104. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats.
Sec. 105. Sharing of cyber threat indicators and defensive measures with the Federal Government.
Sec. 106. Protection from liability.
Subsection 104(c)(1) of the Cybersecurity Act of 2015 recognizes the right of private entities to share cyber threat indicators and defensive measures for a cybersecurity purpose. [Section 102(4) defines "cybersecurity purpose" as "the purpose of protecting an information system or information that is stored on, processed by, or transiting an "information system from a cybersecurity threat or security vulnerability."]
Subsection 104(d)(1) requires that the information be adequately protected, and more specifically, subsection 104(d)(2) requires that prior to sharing, the entity must (A) "review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information" and (B) "implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual."
If shared with a governmental entity, exemptions within section 104 of the Cybersecurity Act are found in: subsection (d)(4)(B)(ii) - exempt from local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records); subsection (d)(4)(C)(i) - exempt from action when following "mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator"; and subsection (e) - not a violation of any provision of antitrust laws "for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes."
Section 106(a) protects entities from liability when "monitoring" a system. Section 106(b) protects entities from liability when sharing or receiving information, and if it is shared with the federal government, then if such sharing complies with section 105.
I'm not addressing section 105 (sharing with the federal government) here, that can be addressed separately if/when it arises.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160107/880eeb99/attachment-0002.html>
More information about the Public
mailing list