House Cybersecurity Information-Sharing Bill Provides Immunity Provisions for Reporting Companies


The U.S. House of Representatives passed an amended version of the Cyber Intelligence Sharing and Protection Act (CISPA), with a 288-127 vote. The current version of CISPA (H.R. 624) would provide private-sector companies with protection from liability for sharing information on cyber-threats with federal government agencies. With the passage of this bill, the House attempts to resolve the problem of President Barack Obama’s Cybersecurity Executive Order not providing any liability protection to reporting companies. (Read our alert on President Obama’s Executive Order here.) The bill provides both criminal and civil immunity for corporations sharing information with government agencies, as long as they act “in good faith.” The amended version defines a lack of good faith as including “any act or omission taken with intent to injure, defraud or otherwise endanger any individual, government entity, private entity or utility.” It also requires the Director of National Intelligence to establish procedures to permit “elements of the intelligence community” to share cyber-threat information, including classified information, with U.S. companies and utilities.

CISPA expressly limits the federal government’s use of cyber-threat information to only cybersecurity purposes and for the investigation and prosecution of cybersecurity crimes (as well as the prevention of death or serious bodily injury to individuals and various threats against children), and specifically prohibits the government from searching cybersecurity information for any other purpose. The federal government also may not use sensitive personal information (defined to include a number of categories containing information that can be used to identify individuals, including tax returns, medical and educational records, firearms sales records, library circulation records and patron lists, and book sales records), except in accordance with established policies and procedures to protect the private and confidential nature of this information. The bill mandates that the Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, establish these policies and procedures.

While CISPA immunizes private-sector companies from liability, it also establishes a private right of action in federal court for actual or statutory damages for any person “adversely affected” by the government’s willful or intentional violation of the express restrictions on the protection, disclosure, and use of the shared information.

The recent amendments to the House version of CISPA were aimed at satisfying concerns about protection of individual privacy – including those expressed by President Barack Obama in a statement released prior to the bill’s passage. The President, however, has expressed grave concerns about this bill in its present form and has threatened to veto the bill because it does not require private-sector organizations sharing information “to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” and affords broad immunity to the sharing companies. The amended version now goes to the Senate for consideration.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Loeb & Loeb LLP | Attorney Advertising

Written by:


Loeb & Loeb LLP on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.