19 February 2016
Business groups got much of the liability protections they wanted in cybersecurity legislation enacted by Congress at the end of last year, but the final package is far from a panacea, attorneys told Bloomberg BNA.
The new law (Pub. L. No. 114-113), the Cybersecurity Information Sharing Act (CISA), is designed to shield companies from antitrust scrutiny and various other liability risks that could be triggered by cyberthreat data sharing. Although a big win for industry, the statute still leaves room for lawsuits or regulatory actions in some cases, including when a company receives threat information and ignores it or fails to adequately respond, attorneys said.
“There are no protections associated with decisions made or not made based on shared information,” said Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman LLP. “That could present significant problems for companies.”
Regulators such as the Federal Trade Commission could call out the failure to act on threat data as a basis for arguing that a company neglected its cybersecurity obligations, Finch noted. There's also the potential for litigation driven by plaintiffs' lawyers, he said.
In addition, language authorizing companies to take “defensive measures” may not go far enough, according to Stephen Newman, a partner at Stroock & Stroock & Lavan LLP. He cited a lack of protection for “white hat” hacking, or minimal invasion of a threatening system.
“A business that is victimized by an attack could find itself at liability risk if it substantially harms the attacking system even in response to an extremely damaging assault,” Newman told Bloomberg BNA.
And while the law does provide some robust liability protections for the sharing of information, companies must adhere to certain rules and procedures in order to qualify.
Congress passed CISA in late December as part of end-of-the-year omnibus spending legislation. Lawmakers scrambled behind the scenes to draft a compromise information sharing bill after the House and Senate produced conflicting measures. The final package came just in time for Christmas, with several provisions that were on industry's wish list.
“On the whole, I think this is a step in the direction that would give comfort to a number of corporate entities that they're not going to be immediately subject to problems such as antitrust actions, provided that they follow the necessary procedures,” said Trevor Nagel, a partner at White & Case LLP. “It's an act which sets out a set of procedures you have to follow very carefully to get the protections of the statute.”
The act is primarily intended to encourage companies to voluntarily share cyberthreat data with government and industry partners by limiting potential liability risks. One provision calls for the prompt dismissal of lawsuits filed against private entities that monitor, share or receive cyberthreat information, “notwithstanding any other provision of federal, state, local, or tribal law.” This offers protection, for example, from charges that a company violated privacy laws by including an individual's personally identifiable information as part of a threat disclosure.
Privacy was a major sticking point in the debate over the legislation. Privacy advocates worried that government entities such as the National Security Agency would have a new tool to conduct surveillance on ordinary Americans.
To qualify for immunity, companies are required to remove any extraneous personally identifiable information prior to sharing cyberthreat data. The Departments of Justice and Homeland Security were directed to jointly craft privacy guidelines that will need to be followed. Interim guidelines were issued Feb. 16. They are due to be finalized in June.
“I think it's really important for businesses now to drill down with their counsel and compliance people and make sure that whatever information sharing mechanisms they set up are compliant with the rather technical terms of the statute,” said Rajesh De, a partner at Mayer Brown LLP and a former general counsel at the NSA. “Otherwise, they may not be afforded the protections that are in place.”
The act also provides that two or more private entities are not in violation of antitrust laws for exchanging or providing cybersecurity information, or for assisting with the prevention, investigation, or mitigation of a threat.
“If you're communicating information to a competitor, you might be worried that someone might claim that's an antitrust violation,” Newman said.
Another provision exempts cyberthreat information from disclosure under any freedom of information or open government law. In addition, there's language prohibiting government entities from using threat disclosures to regulate the “lawful activities” of private entities, although such information may “inform” the development or implementation of regulations.
The law also allows companies to use defensive measures to protect their rights or property. However, this excludes activities that are generally considered offensive in nature, such as “hacking back” activities, or any steps that would substantially harm another private entity’s information systems.
'Failure to Act' Compromise.
Missing from the statute are explicit “failure to act” protections. Such provisions were proposed in the House, but they didn't make the final cut. Instead, the enacted legislation includes a “rule of construction” clause saying that the measure doesn't create a duty to “warn or act” based on the receipt of threat information.
“It seems to me you lose a lot of votes if you say we're going to give wholesale protections to companies that ignore alerts,” said Nathan Taylor, a partner at Morrison & Foerster LLP. “There's no way this Congress could have reached consensus and agreed on a provision like that; it's just a bridge too far.”
The business community would have preferred explicit liability protections but can probably live with the construction clause, said an industry lobbyist who actively pushed for passage of CISA.
“It was going to be difficult to get those stronger protections,” said the lobbyist, who was interviewed on the condition of anonymity. “We wanted language like this because there was a fear that companies might be beset by hundreds or thousands of indicators and might miss a crucial one,” leading to liability problems.
While the rule of construction language clarifies that companies aren't required under CISA to respond to threat information, they may still be obligated to do so as a “standard of care” under other statutes, such as the FTC Act, according to Taylor.
“I wouldn't rest comfortably on the assumption that a rule of construction was going to protect me from any and all liability relating to a failure to respond to threat data,” he said.
Ignoring threat information, depending on the circumstances, might be deemed by the FTC as a “deceptive or unfair” practice, attorneys said. It could also show up in a broader complaint alleging that a company has weak security practices overall.
“There will still be lots of ways for regulators to bring claims against companies for allegedly negligent, unreasonable or otherwise inadequate security measures,” Finch said.
The FTC announced a related settlement with Oracle Corp. in December, resolving charges that the company intentionally provided consumers with inadequate Java software updates, jeopardizing the security of hundreds of millions of personal computers .
Oracle gave false assurances about its software updates, which constituted an act of deception under Section 5 of the FTC Act, the commission alleged. The agency cited internal company documents in making the case that Oracle was aware of the insufficiency of its update process. The settlement required the company to clearly notify consumers about the risks of older, insecure versions of the software and to refrain from making deceptive statements in the future.
In the financial sector, companies have been put on notice about the importance of paying close attention to threat data. In a 2014 statement, the Federal Financial Institutions Examination Council (FFIEC), an interagency body, said that financial institution management is “expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly.”
Advice for Companies.
In light of the potential risks, companies would be wise to have a plan in place for examining and acting on threat information as part of a larger security program, according to Finch.
“Companies can't afford to look to CISA as a panacea,” he said. “It’s an excellent first step, but it’s just that--a first step. Companies should constantly review their security programs and make sure they have a justification and a logic behind what they're doing. That's going to put them in a better position to offer a strong defense should a problem arise.”
Reproduced with permission from BNA's Corporate Counsel Weekly, 31 CCW 59 (Feb. 24, 2016). Copyright 2016 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com.