DHS Publishes CISA Privacy And Civil Liberties Interim Guidelines

King & Spalding
Contact

On February 16, 2016, the Department of Homeland Security (“DHS”) published four documents related to implementing the Cybersecurity Information Sharing Act of 2015 (“CISA”).  CISA, which became law on December 18, 2015, seeks to promote the sharing of information related to cybersecurity threats between the federal and state governments and the private sector.

First, DHS published the Privacy and Civil Liberties Interim Guidelines (“Privacy Guidelines”), developed jointly by the Department of Justice and DHS pursuant to the CISA mandate that these agencies establish guidelines for protecting personal information and limiting CISA’s effect on privacy and civil liberties.  Because CISA incentivizes the sharing of information between federal and non-federal entities, including by offering protections against liability based on the act of sharing under CISA, there is a risk that personal information not necessary to understanding a cybersecurity threat might be shared and disclosed.

Included in the Privacy Guidelines are, among other things: (i) procedures for destroying and removing personal information not directly related to a cybersecurity threat; (ii) general procedures for notifying an entity that shares information under CISA that information provided by such entity is either in violation of CISA’s requirements or not directly related to a cybersecurity threat (e.g., personal information not directly related to a cybersecurity threat); (iii) procedures for notifying a United States person whose personal information has been shared in violation of CISA; (iv) restrictions on the federal government’s use of information it receives under CISA; (v) suggested controls, such as user access controls and segregation of data, to safeguard the confidentiality of personal information; and (vi) a mandate that federal agencies specify limits on their retention of information received under CISA.

The Privacy Guidelines describe some of the procedures above in relation to the Automated Indicator Sharing (“AIS”) initiative developed by DHS.  The AIS initiative seeks to achieve real-time sharing of cyber threat information and has been identified as the principal mechanism for sharing information with the federal government under CISA.  The AIS initiative allows any AIS participant to submit information related to a cybersecurity threat.  A major goal of the AIS initiative is to develop an automated system that can receive, filter, sanitize, analyze, and disseminate such information to other AIS participants.  Entities eligible to participate in the AIS initiative include all federal departments and agencies; private sector entities; and state, local, tribal, and territorial partners; as well as foreign governmental and foreign private sector entities. In the initial phase of AIS, however, participants will be limited to certain federal departments and agencies and select private sector entities.

Because personal information may be submitted either as part of or accompanying information related to cybersecurity threats, DHS conducted a Privacy Impact Assessment of the AIS initiative, detailing privacy risks and associated mitigations.  For example, although AIS participants are instructed to not submit personal information unless it is necessary to understanding a cybersecurity threat, the AIS initiative performs automated analyses to detect and remove unnecessary personal information prior to dissemination.  In addition, the AIS initiative utilizes other safeguards for protecting privacy, such as limited human review, to ensure the removal of unnecessary personal information, anonymizing the identity of submitters of information, minimizing the amount of data collected, and retaining information for a limited amount of time.

The Attorney General and the Secretary of Homeland Security must issue final guidelines relating to privacy and civil liberties not later than 180 days after the date of the enactment of CISA, which  is June 15, 2016.  In addition to coordinating with heads of appropriate federal entities and consulting with designated privacy and civil liberties officers, CISA mandates that the Attorney General and the Secretary of Homeland Security consult with private entities with industry expertise as the Attorney General and Secretary consider relevant in issuing those final guidelines.  As the CISA liability protections for private sector entities only apply when information is shared in accordance with CISA, private sector entities seeking to participate in CISA and the AIS initiative should continue to follow and monitor these and other guidelines related to CISA.

In addition to the Privacy Guidelines, DHS published the Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities.  This document details protections received by entities that share information under CISA.  These safe harbors are discussed in more detail in King & Spalding’s Data, Privacy & Security Practice Report from January 19, 2016, available here.

Third, DHS published the Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government.  This document outlines procedures by which federal entities can share information related to cybersecurity threats to other federal entities and to non-federal entities, including private sector participants.  The document discusses, for example, procedures relating to the sharing of classified, declassified, and unclassified information.

Finally, DHS published the Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government.  This document sets forth operational procedures for receipt, processing, and dissemination of cybersecurity information both through the AIS initiative and through non-automated means.

Reporter, Stephen R. Shin, New York, +1 212 556 2198, sshin@kslaw.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide