Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. CISA sponsors and supporters hope that such information exchange will help organizations prepare for and respond more effectively to cyber threats.
In addition to CISA, the spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services (HHS) to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce.
We summarize here key cybersecurity provisions in the spending bill.
The main goal of CISA is to encourage organizations to share information with the government about the cybersecurity threats they face and to help strengthen the mechanisms via which such information is disseminated to other organizations to help them improve their cyber defenses.
Despite overwhelming support in Congress and backing from many in the private and public sectors, questions remain about some provisions in CISA, including whether privacy safeguards are adequate and whether liability protections are sufficient to allay organizations’ fears of being sued based on their participation in information sharing. How these issues are resolved will help determine whether CISA will make a real difference in the way organizations share, receive, and use cybersecurity information.
In response to concerns that individuals’ privacy will be affected when an organization shares information with the government, CISA requires participating organizations first to remove any information “not directly related” to a cybersecurity threat that the organization knows at the time of sharing to be personal information of a specific individual that “identifies” the specific individual. CISA also directs the Attorney General and the Department of Homeland Security (DHS) Secretary to develop guidance for organizations on what information must be removed and guidelines for government on how to handle the information it receives through the program, taking into account privacy concerns. This guidance very well may be based on DHS’s Privacy Impact Assessment 029 of October 28, 2015, which currently details the department’s approach to privacy under an existing information-sharing program—the automated indicator sharing (AIS) initiative. Under the AIS program, a limited number of participants began receiving automated cyber-threat indicators from the federal government in July 2015, and since November the federal government began accepting cyber-threat indicators submitted by the private sector. Lessons learned in this program likely will serve as a foundation for CISA’s privacy rules.
With respect to liability-related concerns, CISA attempts to protect organizations from lawsuits arising out of participation in information sharing by stating that any legal action based on the sharing or receipt of a cyber-threat indicator through the program shall be promptly dismissed. Furthermore, CISA states that nothing in the legislation shall be construed to subject an entity to liability for non-participation in the activities authorized by the program. Notably, organizations will receive liability protection for sending and receiving cyber-threat indicators, but CISA does not expressly provide liability protection for the use of this information or a decision not to use the information to improve cybersecurity defenses. Also, CISA does not prevent the government or private litigants from using an organization’s non-participation in a future lawsuit as evidence of negligent maintenance of the cybersecurity of its systems.
Whether and how these privacy and liability issues are resolved likely will impact organizations’ decisions about participating in the information-sharing program, and ultimately, CISA’s overall effectiveness in helping prepare organizations to defend against cyber attacks.
Included in the spending bill is a lesser-known provision—Section 405 of Title IV—that could impact the cybersecurity practices of organizations already covered by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The provision directs the HHS secretary to establish and regularly update a set of voluntary cybersecurity best practices standards. CISA directs that these standards are to be consistent with the current HIPAA Security Rule, but they may end up being more specific than the Security Rule and potentially inconsistent with current industry practices. Additionally, the bill directs the HHS secretary to create a new public-private task force to review the challenges to securing networked medical devices and other software or systems that connect to electronic health records. The task force is directed to report on ways healthcare stakeholders can improve their preparedness for, and response to, cybersecurity threats.
Organizations in the healthcare industry should pay close attention to the implementation of these CISA provisions. Although the standards are labeled voluntary, their publication would have a government imprimatur and likely would inspire advocacy pressure to make them industry standards. And both the cybersecurity best practices and the findings in the task force report could be used against entities in administrative or judicial proceedings related to a cybersecurity incident.
The spending bill includes a number of other cybersecurity authorizations and reforms for the federal government, many of which involve activities by DHS and the Office of Management and Budget (OMB).
The bill directs DHS and OMB to implement an intrusion assessment plan to detect, identify, and remove intruders in federal information systems. OMB is further directed to issue operational directives to federal agencies related to securing agency information systems. Agencies also are required to assess access controls for sensitive and mission critical data and encrypt or otherwise render indecipherable this data to unauthorized users, among other measures.
The bill also directs DHS along with other agencies to identify cyber-related positions in the federal workforce. Agency heads must report to Congress on the percentage of personnel who hold appropriate industry-recognized certifications for information technology and cybersecurity and the level of preparedness of these personnel. Subsequently, OMB (in consultation with DHS) is directed to produce a report identifying the critical workforce cyber needs across all federal agencies.
If you work in privacy, the important takeaway from the enactment of CISA is that organizations engaging in cybersecurity threat information sharing have new guidance on how to consider and mitigate the privacy implications of such sharing, with more detailed information likely to emerge as CISA is implemented. Privacy pros working in health-related fields should monitor HHS’s development of cybersecurity best practices standards and issuance of a task force report on securing systems that connect to electronic health records.
This entry originally was published on the International Association of Privacy Professionals’ (IAPP) Privacy Tracker.
Authored by Allison Bender, Paul Otto and Jared Bomberg