President Obama Signs Cybersecurity Act of 2015 | Practical Law

President Obama Signs Cybersecurity Act of 2015 | Practical Law

President Obama has signed a $1.1 trillion omnibus spending bill that includes the Cybersecurity Act of 2015, an act that is based on a compromise between the Cybersecurity Information Sharing Act (CISA) passed by the Senate and two other cybersecurity information sharing bills, previously passed by the House of Representatives.

President Obama Signs Cybersecurity Act of 2015

Practical Law Legal Update w-001-0953 (Approx. 3 pages)

President Obama Signs Cybersecurity Act of 2015

by Practical Law Intellectual Property & Technology
Published on 21 Dec 2015USA (National/Federal)
President Obama has signed a $1.1 trillion omnibus spending bill that includes the Cybersecurity Act of 2015, an act that is based on a compromise between the Cybersecurity Information Sharing Act (CISA) passed by the Senate and two other cybersecurity information sharing bills, previously passed by the House of Representatives.
On December 18, 2015, President Obama signed H.R.2029 into law. This $1.1 trillion omnibus spending bill includes Division N, entitled the Cybersecurity Act of 2015. The Cybersecurity Act is based on a compromise between three different versions of earlier proposed bills, including the failed Cybersecurity Information Sharing Act, and it is intended to encourage companies to quickly share information about cybersecurity threats, incidents, security vulnerabilities, and defense mechanisms, potentially in real-time. The Act directs the Department of Homeland Security (DHS) to create a Portal and related guidelines that will facilitate cybersecurity data sharing, and to disseminate that information to other government agencies, private entities, and the public, as appropriate under the Act's guidelines.
A private entity may share information with the DHS Portal or other entities for the purpose of protecting systems from cybersecurity threats, provided it first:
  • Determines, at the time of disclosure, whether the cybersecurity information contains personally identifiable information (PII) of a specific individual, or identifies an individual, that is not directly related to the reported cyber threat.
  • Removes any known, unrelated PII from the information disclosed, manually or through technical means.
Importantly for businesses, the Act also includes provisions:
  • Clarifying that sharing cybersecurity information in accordance with the Act will not violate antitrust laws or waive any applicable privilege or protection provided by law, including trade secret protection.
  • Clarifying that the Act does not create a duty to share, warn about, or act on cybersecurity threats or defense measures.
  • Protecting proprietary information shared by private entities through designated government portals.
  • Establishing liability protection for private entities that monitor information systems or share cybersecurity information in accordance with the Act.
These provisions address many of the concerns businesses expressed around sharing cybersecurity data.