This week, the US Senate passed the Cybersecurity Information Sharing Act (the Act) by a wide margin. As we previously discussed, the Act enables companies to share cybersecurity-related information and cooperate with one another and with the federal government.
Under the Act, companies could monitor certain information for cybersecurity purposes, including the following:
- Their own information systems
- Information systems of other entities, including federal government entities, as authorized by such entities
- Information stored on or processed by the information systems noted above
Companies could also apply defensive measures to any of the information systems noted above, subject to consent for such measure from the applicable hosting entity. In addition, entities could share cyber threat indicators and defensive measures with other entities.
The broad rights granted to companies and the federal government under the Act are subject to some limitations, including the following:
- Any entity that monitors, provides, or receives information or operating defensive measures under the Act would be required to implement security measures to protect unauthorized access.
- Any entity that shares a cyber threat indicator under the Act would need to first review the indicator for, and remove, any personal or personally identifiable information. An entity may use a technical method designed to remove personal data to satisfy this requirement.
Any disclosures of information under the Act by private entities to the government are voluntary. Next up for the Act, congressional leaders will work on a final compromise bill.