President Obama Signs Cybersecurity Act of 2015 into Law

Locke Lord LLP

On December 18, 2015, President Obama signed into law the Federal Cybersecurity Act of 2015 (the Act). The long-awaited and heavily negotiated legislation recognizes the need for greater cybersecurity threat information sharing among public and private entities, encourages private entities to more freely engage in such sharing and permits private entities to take certain measures to protect themselves against cyber threats.

With respect to information sharing, the Act establishes a mechanism for sharing cybersecurity threat information among private sector entities and the federal government, with the Department of Homeland Security as the primary hub for that sharing. The Act provides broad safe harbors for private entities sharing information in accordance with its terms, exempting such entities from civil, regulatory and antitrust liability based on their sharing, and exempting shared information from the Freedom of Information Act. Further, the Act specifically provides that disclosure of cyber threat indicators or defensive measures (discussed below) to the federal government in accordance with the Act will not operate to waive privileges or protections provided by law, such as in trade secret. 

The federal government’s usage of information obtained pursuant to the Act is limited to specified permissible uses. In addition, prior to sharing information under the Act, nonfederal entities are required to review the information and remove any information that the sharing entity “knows at the time of the sharing” to be personal or personally identifying information not directly related to a security threat.

With respect to measures that may be taken by a private entity to protect themselves, the Act authorizes private entities to monitor and use defensive measures to protect their information systems (and those of consenting entities). However, measures commonly considered and referred to as “hacking back” are specifically excluded from the defensive measures permitted by the Act. The U.S. Department of Homeland Security has released a document titled Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 to provide “information that will assist non-federal entities who elect to share cyber threat indicators with the Federal Government to do so in accordance with the Act.”

Private entities will now be able to more freely share what is often rapidly-evolving cyber threat information with one another and take defensive measures to protect themselves from those threats, avoiding circumstances where every new threat requires companies to repeatedly reinvent the wheel to protect their information and systems.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.