Two recent actions in the USA could have significant consequences for how companies approach cybersecurity. In 2014, many of the most recognizable companies in America fell prey to cyber attacks. The list of victims is a veritable who’s who of corporate America: Target, J.P. Morgan Chase, Home Depot, Staples, AT&T, Sony, eBay, Yahoo and Google. In the face of the clear threat posed by these attacks, the federal government has taken steps to respond.
First, in April, the U.S. House of Representatives passed two bills to encourage companies to share cybersecurity information with the government and other private entities. Both bills include broad liability protection for companies that monitor their networks for cybersecurity threats and share what they find. Second, the SEC has not taken any formal action yet, but it has indicated that it may soon turn up the heat on companies to disclose their cybersecurity vulnerabilities.
Cybersecurity legislation passes the House
The two pieces of legislation passed by the U.S. House of Representatives are similar to bills passed last year, but proponents say they have amended them to address concerns raised by Senators and outside groups. The first bill came out of the House Permit Select Committee on Intelligence and is entitled the Protecting Cyber Networks Act (PCNA). The second bill came from the Committee on Homeland Security and is entitled the National Cybersecurity Protection Advancement Act of 2015 (NCPAA). Both bills passed with bipartisan support and now move to the Senate where the Intelligence Committee approved similar legislation in March.
The two bills are largely alike in their approach. Both authorize companies to conduct defensive monitoring of their networks and to take defensive measures when confronted with attacks, so long as those defensive measures do not harm the attacking computers. The bills also establish a framework for companies to voluntarily share with federal agencies and other corporations information about cybersecurity threats and defensive measures.
In the past, companies have resisted sharing cybersecurity information out of fear that it could encourage legal actions against them. To address this concern, both bills include broad liability exemptions. These provisions protect companies when they monitor their networks or share information about cyber threats. For example, the PCNA provides that “no cause of action shall lie or be maintained in any court against any private entity” both “for the monitoring of an information system” in accordance with the terms of the act, or for “the sharing or receipt of a cyber threat indicator or defensive measure” under the provisions of the act. Both bills also exempt information shared with the government from federal disclosure laws and provide that sharing information does not constitute a waiver of trade secret protection.
To discuss this or any other issues relating to advertising law, please contact Andrew B Lustigman, Olshan Law, New York on ALustigman@olshanlaw.com