During the 2013 holiday season, retailers were targeted in some of the largest cyber attacks on record, compromising tens of millions of consumer payment card numbers. This holiday season—Friday December 18, 2015 to be exact—President Obama signed into law a $1.1 trillion spending bill. Included within the larger spending bill is the Cybersecurity Information Sharing Act of 2015 (the “Act”). As we continue to monitor the intersection of cybersecurity and the law, we wanted to take a closer look at the implications for the liability landscape in response to the Act.
Lawmakers advise that cyber risks often follow similar patterns and penetrate known vulnerabilities across multiple targets. Thus, the Cybersecurity Information Sharing Act of 2015 is intended to encourage early cyber victims to share as much information about the experienced data breach with the federal government and other similarly situated companies to arm against future parallel attacks. Companies willing to share information about hacks receive immunity from antitrust lawsuits and for claims predicated on their monitoring of information systems.
Section 106 of the Act is titled “protection from liability” and explains that a private party is exempt from any action in any court for (1) monitoring information systems pursuant to the Act; and (2 )”sharing or receipt of cyber threat indicators.” See Act. A “cyber threat indicator” is defined as ” information that is necessary to describe or identify—(A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability; (B) a method of defeating a security control or exploitation of a security vulnerability; (C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability; (D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability; (E) malicious cyber command and control; (F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat; (G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or (H) any combination thereof.”
In the summary of the Act, the bill explains in more basic terms: “[t]his title exempts from antitrust laws private entities that, for cybersecurity purposes, exchange or provide: (1) cyber threat indicators; or (2) assistance relating to the prevention, investigation, or mitigation of cybersecurity threats. The exemption is inapplicable to price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.” We have previously reported that uncertainty can breed litigation. See article. In this case, the Act may alleviate uncertainty that causes companies to hesitate about whether to share information about an experienced data breach with the federal government and similarly situated companies for fear of legal retaliation.
However, not everyone finds the new legislation praiseworthy. Privacy advocates condemn the bill as surveillance legislation veiled as a “security” bill. Cyber experts criticize the Act for failing to motivate companies to invest in ways to reduce known vulnerabilities. Instead, they argue, the Act’s removal of liability for sharing corporate information may in reality create a disincentive for companies to invest in improved cyber defense tools.
It remains uncertain how–if at all–the new legislation will impact lawsuits from consumers alleging privacy and consumer fraud claims for failure to guard against such data breaches. For example, some consumer advocates argue that “rapid and expansive sharing of cyber threat data between corporations and government agencies [permitted under the new legislation] without sufficient safeguards will increase the risk of misuse of that information.” See Consumer advocates letter. The increased risk of misusing consumer information may encourage additional lawsuits against companies that cyber experts say are not investing in the defense resources necessary to guard against future and more sophisticated cyber threats. Therefore, while antitrust actions in the cyber-litigation landscape may decrease as a result of the Act, companies will still likely face a host of other consumer lawsuits relating to cyber security issues. We will continue to monitor how companies and consumers respond to the Act inside and outside of court.