At least five bills touching upon cybersecurity may soon be introduced on Capitol Hill. Early drafts of three primary bills, including the Senate Select Committee on Intelligence’s Cybersecurity Information Sharing Act, the House Permanent Select Committee on Intelligence’s Protecting Cyber Networks Act, and the House Homeland Security Committee’s National Cybersecurity Protection Advancement Act share a great deal of common language, and present both opportunities and risks for the directors, officers and general counsel of private businesses.
The proposed legislation seeks to increase information sharing about cyber threats between the government and private sector on a voluntary basis. To that end:
- Businesses providing the government with cyber threat data would not waive intellectual property or trade secret protections on the information provided.
- Businesses would be specifically allowed to monitor and defend their own systems, including with measures modifying or blocking data packets presenting cyber threats, perhaps also encompassing techniques such as long passive walls and proactive forensic collection such as beacons and “honey pots.”
- Businesses monitoring their systems and sharing cyber threat information with the government and other businesses in good faith would receive some legal liability protections.
The bills also helpfully buttress the Justice Department and Federal Trade Commission’s recent joint policy statement that antitrust laws should not be roadblocks to the legitimate sharing of technical cybersecurity information, as distinct from competitively sensitive information such as prices, output or business plans.
Yet most of these positive developments for business come with catches that are worth noting:
- In all three bills, liability protections for businesses monitoring their systems and sharing information do not extend to willful misconduct, or in the National Cybersecurity Protection Advancement Act, to gross negligence as well.
Monitoring or defensive measures, if used, must themselves be protected from unauthorized access. And efforts by businesses to defend their computer systems may not damage others’ systems through “hack-backs.”
- Businesses must make “reasonable efforts” to minimize, safeguard and remove personally identifying information (PII) within data, unrelated to cyber threats, that is shared with others.
This places the burden on businesses to remove PII from cyber data sought by the government, and the financial cost may be too great for many small and medium sized businesses. Companies must then comply with federal and other restrictions on the further use of that shared data, raising the risk that businesses will lose control of the data they share. These provisions may dis-incentivize businesses from collaborating with the government on cyber threats in the first place.
- The Protecting Cyber Networks Act would rule out businesses sharing information directly with the Defense Department generally or the National Security Agency specifically.
- The Protecting Cyber Networks Act would establish a private legal cause of action against the government for intentionally or willfully violating privacy and civil liberties guidelines, and provide the higher of the sum of actual damages or $1000 per violation, along with plaintiffs’ attorneys’ fees.
Given the amount of metadata potentially involved in sharing cyber threat information, this is an invitation to class-action lawsuits. While actions brought under this law would be directed against the government, businesses assisting the government by sharing cyber threat information may be pulled into expensive litigation as third parties.
No doubt these bills will undergo significant amendments in committee, on the floor and in conference, and be subject to considerable public debate, before possibly becoming law. Directors, officers and general counsel should keep an eye on whether positive goals for business such as increased voluntary information sharing, legal authority for monitoring and defensive measures, and antitrust and intellectual property protections, can be balanced against the potential compliance burdens and legal risks of participating in these proposed cyber programs.
By Kevin Carroll, Quinn Emanuel, and Frank Cilluffo, SDI Cyber Risk Practice. Carroll is an expert in national security and cybersecurity issues and resident in Quinn Emanuel’s Washington, D.C. office.
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
April 14, 2015