Cybersecurity Legislation: What It Means for the Private Sector
By Rolando R. Sanchez
Proposed legislation now waiting for a Senate vote would grant liability protection to companies that share cyber threat information with the federal government and other companies.
Liability protection for the private sector is contained in bills introduced in both houses of Congress and in the pending National Defense Authorization Act (NDAA) for fiscal year 2016. These liability protections apply to voluntary information that a company may share and, in the case of the proposed NDAA, mandatory reporting by certain government contractors to the Defense Department after they experience a breach.
But these proposed liability protections have limits and will not apply to cases of “willful misconduct” and, if current language in Senate legislation prevails, instances of “gross negligence.”
The Senate Cybersecurity Information Sharing Act of 2015 (CISA – S.754) was approved by the Senate Select Committee on Intelligence in March but has yet to make it to the floor for a vote. CISA has bipartisan support — it was sponsored by Sen. Dianne Feinstein, D-CA, and Sen. Richard Burr, R-N.C. — as do two cyber bills already passed by the full House. The two House bills, titled the
National Cybersecurity Protection Advancement Act (NCPAA – H.R. 1731) and the Protecting Cyber Networks Act (PCNA – H.R. 1560), passed the full House in April and are now awaiting Senate action. It remains to be seen what the Senate will do with the legislation.
The occurrence of more cyber intrusions recently, including the massive data breach suffered by the federal government’s Office of Personnel Management that exposed the records of millions of current and former federal employees, should motivate the Senate to act on the legislation quickly.
The bill introduced in the Senate to enact CISA would provide liability protection by prohibiting any “cause of action” “in any court” against private entities who monitor authorized information systems, such as their own, and causes of action against entities who share or receive “cyber threat indicators or defensive measures” with or from other entities or the federal government. The House bills contain similar language except that they also would provide liability protection to private entities that fail to act based on the information shared (the PCNA language is different than the NCPAA in this regard because it requires a “good faith” failure).
While both the Senate and House bills extend liability protection in order to encourage voluntary information sharing among companies and with the government, there are differences in how the bills prohibit liability protection in certain circumstances. The House bills do not allow liability protection in cases where a company is found to have committed “willful misconduct” in the course of conducting activities under the legislation. They both define willful misconduct as misconduct that occurs intentionally “to achieve a wrongful purpose,” “knowingly without legal or factual justification” and “in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.” It is a tough definition that must be proved by the high standard of “clear and convincing evidence.”
CISA also contains a similar willful misconduct exception but goes further in curbing liability protection to cases where a company engaged in gross negligence. Importantly, the bill does not define willful misconduct and gross negligence, so that the parameters of these exceptions are undetermined. CISA’s addition of a gross negligence exception also dilutes the value of liability protection because a negligence standard is lower than willful misconduct.
Although the risk of liability for a company can exist under willful misconduct, the door would be opened wider under a gross negligence standard. If CISA becomes law and gross negligence remains an exception to liability protection, companies will need to weigh the risk of legal actions and their related costs — such as discovery and investigations — against the risk of not sharing information.
For some companies, it may not be worthwhile to engage in information sharing when they could be exposed to costly litigation from the plaintiff’s bar, the federal government or state governments to uncover gross negligence.
Interestingly, working drafts of the House’s NCPAA also included an exception to liability protection in cases of gross negligence. But after comments from private industry, that language was removed.
The proposed legislation is meant to calm the liability concerns of companies that want to engage in voluntary information sharing with each other and with the federal government but that can be exposed to legal actions and hefty liability as a result. For several years, legislation that grants liability protection has been the holy grail of U.S. companies and the federal government, who acknowledge the value of sharing cyber threat information, particularly information from the federal government, as a tool to combat cyber intrusions.
Currently, companies must defend themselves against bad actors such as nation states, hacktivists and organized crime, which makes the prospect of getting the federal government on a company’s “cyber team” more alluring. But without liability protection, companies that want to engage in information sharing as part of their cyber security best practices may face exposure to lawsuits. The produced or shared information may inadvertently reveal the personal information of individuals, which can expose a company to costly legal action for not protecting private information or even for having mistakenly collected such information.
Consequently, companies may not want to expose their internal information to outside scrutiny. Recognizing these liability concerns, Congress is willing to provide liability protection. The danger of network breaches that threaten U.S. critical infrastructure and the U.S. economy as a whole outweighs other government enforcement and private concerns.
In a similar effort to calm concerns about liability exposure, the proposed 2016 NDAA, which passed the House in May and is now being considered by the Senate, provides liability protection to two types of defense contractors, “cleared defense contractors” and designated “operationally critical contractors,” who are subject to mandatory rapid reporting requirements to the Department of Defense. Similar to the House and Senate bills, the liability protection in the proposed 2016 NDAA does not extend to instances of willful misconduct in the course of complying with the reporting procedures.
The proposed 2016 NDAA would amend Section 941 of the Fiscal Year 2013 National Authorization Act and Section 391 of United States Code Title 10. Section 941 (which would be codified as
Section 393 under Title 10), applies to “cleared defense contractors” who must report successful penetrations of their networks or information systems. The proposed legislation expands federal government authority to disseminate reported information outside of the Defense Department and includes a liability protection subsection to provide that no “cause of action shall lie or be maintained in any court against any cleared defense contractor” for compliance with the reporting requirements of the section. The important exception of willful misconduct is defined the same as in the House bills and must be proven by the higher standard of “clear and convincing evidence.”
The legislation also amends section 391 of Title 10, which applies to DoD “operationally critical contractors” that experience a “cyber incident” on their networks or information systems, and provides them with the same liability protection with a willful misconduct exception.
Overall, the amendments contained in the proposed 2016 NDAA address some but not all of the liability concerns created by recent rules imposed on contractors. It remains to be seen if other mandatory reporting requirements will be similarly amended with future legislation or through acquisition rules or other regulation. These include Section 325 of the 2014 Intelligence Authorization Act, which imposes rapid reporting requirements on cleared intelligence community contractors, and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which applies to unclassified controlled technical information.
Arguably, the DFARS requirement reaches more contractors than the defense contractors covered by the changes in the proposed 2016 NDAA because unclassified controlled technical information includes military or space applications.
Liability protection is needed from Congress to ensure that contractors and other companies are willing to voluntarily share threat information and that contractors fulfill existing mandatory reporting requirements. Although the final language of the draft Senate and House bills and the 2016 NDAA remains to be debated, there is a good chance that liability protection for voluntary information sharing, and certain mandatory reporting requirements, will become a reality through the legislation now pending in Congress. The effectiveness of this liability protection may be limited if there is a fight to keep the gross negligence language currently in the Senate bill.
Rolando Sanchez is a government contracts and cybersecurity attorney at Hollingsworth LLP.