Your Company and the New Cybersecurity Act of 2015
Cybersecurity | News | Privacy
It may have slipped by you, but on December 18, 2015, Congress passed the Cybersecurity Information Sharing Act of 2015. You may have missed it because it was attached as a 14th rider to the omnibus budget bill.
This piece of legislation is meant to “ease sharing of information between corporations and the government,” according to the Verge.
Several parts of the act could affect the way companies do business.
It is Voluntary
The fear of litigation has often kept companies from participating in data sharing with the government. It’s important to know that although this bill establishes a framework for the sharing of threat information, a company’s participation in it is voluntary. But there are incentives for participating. Companies are afforded liability protection if they do share cyber-threat information with the government.
You Can Report to More Agencies
In the past, if you had vital security information to share with government, you would do so through the Department of Homeland Security. To make sharing this information easier, the bill calls for information-sharing portals to be set up with federal agencies like the FBI and NSA, in addition to Homeland Security. This is supposed to help companies smoothly give information to federal agencies instead of having to go through just Homeland Security or courts.
Privacy is a Hot Issue
The bill requires companies that submit cyber-threat information to scrub that information of any personal information before sharing it. Despite this, privacy advocates say the bill could allow organizations to circumvent the normal privacy protections.
But if the information shared has to do with a threat of death, economic damage, or the exploitation of a minor or serious injury, then personally identifiable information can be shared.
It Has a Healthcare Focus
Within the bill, the Department of Health & Human Services is tasked with addressing cybersecurity issues unique to the healthcare industry. Under the agreement, the department has 90 days to convene, and will look at issues like:
- How other industries have implemented strategies and safeguards to protect against cyber threats;
- Challenges and barriers the healthcare industry faces in safeguarding from cyber-attacks; and
- Challenges that come with securing networked medical devices or software that connect to electronic medical records.
The Cybersecurity Act of 2015 has a lot to decipher. Businesses should be cognizant of the four points above and keep in mind that, according to The Verge, the new language “clears the way for an open channel between tech companies and the government, unaffected by existing privacy laws.”
About JASON RHOADES
Jason Rhoades is a Principal at Schellman, where he oversees multiple compliance and security services including SOC, PCI-DSS, ISO, FISMA and HIPAA services. Jason also helps assist large and complex customers, who have multiple compliance needs, strategically aligning their compliance portfolio to maximize cost savings and efficiencies. Jason works with many leading organizations spanning industries such as fintech, financial services, cloud computing, healthcare, cybersecurity and many others.