United States: Congress Enacts Major Cybersecurity Legislation

On December 18, 2015, Congress passed, and the President signed, the Cybersecurity Act of 2015, which provides authorization and liability protection for cybersecurity monitoring and information-sharing and authorization for cyber defensive measures. The Act, which comes after four years of efforts to enact federal cybersecurity legislation, also creates a new regime to encourage federal agencies to share cyber intelligence with the private sector more rapidly.1

Key provisions include:

  • Authorization and Liability Protection for Cybersecurity Monitoring, Operation of Defensive Measures, and Sharing and Receiving Cyber Threat Information. The Act authorizes private entities, "notwithstanding any other provision of law," (a) to monitor their own information systems, the information system of another entity with written consent, and information "stored on, processed by, or transiting" such an information system;2 (b) to share and receive cyber threat indicators or "defensive measures"3 from other entities, with no duty to warn or act based on information received;4 and (c) to operate defensive measures on an entity's own information system or the information system of another entity with its written consent.5 For monitoring and information-sharing, the Act also contains liability protection provisions requiring dismissal of claims based on activities undertaken in accordance with the Act's requirements.6 These authorizations and liability protections preempt state and local laws that "restrict[] or otherwise expressly regulate[] an activity authorized under" the Act.7  
  • Avenues for Sharing with the Government. Under the Act, private entities may share cyber threat information with federal entities so long as the information is shared in a manner consistent with the Act, including a variety of provisions intended to protect personal information.8 By February 16, 2016, the Attorney General and the Secretary of the Department of Homeland Security (DHS), in consultation with the heads of other federal agencies, must provide to Congress interim policies to govern the sharing of cyber threat indicators and defensive measures with the federal government.9 Those policies, which must be finalized by June 15, 2016,10 will include guidance on how information will be shared and protocols for federal government agencies to automatically circulate information received from the private sector. The Act further requires DHS, by March 17, 2016, to establish a system for the federal government to receive cyber threat indicators from the private sector through online and other electronic means.11 But it is important to note that the process created by DHS may not limit or prohibit the sharing with federal and non-federal entities of information associated with known or suspected criminal activity or the sharing of cyber threat indicators with federal entities either in support of law enforcement investigations or in order to fulfill contractual obligations.12  
  • Requirement To Remove Personal Information. The Act includes provisions designed to ensure that personal information is not shared with the government or other companies. Before sharing a cyber threat indicator, the sharing entity must (a) review it to assess whether it contains information not directly related to a cyber threat that the entity knows at the time of sharing is personal information of a specific individual or information identifying a specific individual, and remove that information, or (b) employ a technical capability configured to remove such information.13 The Act requires the government to issue guidance to assist sharing entities with identifying this type of information.14 
  • Protections for Information Shared with the Government. Under the Act, information shared with the government shall (a) not constitute a waiver of privilege; (b) be protected from disclosure under the Freedom of Information Act (and state equivalents); (c) not be used to regulate, including in an enforcement action, the lawful activities of a non-federal entity or activities taken by such an entity pursuant to mandatory standards; and (d) be further disclosed, retained or used by a Federal agency only for (i) a cybersecurity purpose, (ii) identifying a cybersecurity threat or vulnerability, (iii) responding to, preventing, or mitigating a threat of death, serious bodily harm, serious economic harm, or a serious threat to a minor, or (iv) investigating, disrupting or prosecuting fraud, identity theft, espionage or offenses relating to trade secrets.15  
  • Federal Government Sharing with the Private Sector. The Act requires the government to develop procedures to promote the timely sharing with non-federal entities of classified, declassified and unclassified cyber threat indicators and defensive measures, as well as information relating to cyber threats and cybersecurity best practices.16
  • Authorization for DHS To Monitor the ".gov" Environment. The Act authorizes (and directs) DHS to deploy, operate and maintain, and to make available for use by other agencies, a capability to detect cybersecurity risks in network traffic and to prevent network traffic associated with cyber risks from transiting or traveling to or from an agency information system. The Act authorizes using contractors for this effort, and provides limits on liability for such contractors.17
  • Healthcare Industry Task Force. The Act requires the establishment of a healthcare industry cybersecurity task force, led by the Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST), and composed of healthcare industry stakeholders and cybersecurity experts. The task force is directed to analyze how other industries address cyber risks, assess challenges and barriers to entities in the health sector securing themselves against cyber attacks, review challenges for securing networked medical devices and electronic health records, establish a plan for information-sharing between the government and industry stakeholders, and report to Congress. HHS and NIST are also directed to develop a set of voluntary, consensus-based, and industry-led best practices for the sector.18
  • International Cyberspace Strategy. The Act requires the Secretary of State, within 90 days, to produce a "comprehensive strategy" regarding US international policy in cyberspace. The strategy is to include, among other things, a review of actions taken by the Secretary to support the goal of the President's May 2011 International Strategy for Cyberspace,19 and a plan of action to guide diplomacy on the development of international cyber norms.20
  • Apprehension and Prosecution of International Cyber Criminals. The Act directs the Secretary of State to consult with officials from countries from which extradition is not likely and in which international cyber criminals are physically present, to determine what actions those governments have taken to apprehend and prosecute those criminals and to prevent them from carrying out cybercrimes or intellectual property crimes against the interests of the United States or its citizens.21


1. The Cybersecurity Act of 2015 was enacted as Division N in the Fiscal Year 2016 omnibus spending bill. It is available here. The Act took effect on the date of its enactment (December 18, 2015). Title I of the Act, which includes the authorization and liability protections for cybersecurity monitoring, information sharing and use of defensive measures, will remain in effect with respect to any action authorized by or information obtained pursuant to it during the period ending on September 30, 2025. Section 111.

2. Section 104(a).

3. A "defensive measure" is a device, measure, etc. that "detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability."  Section 102(7).

4. Sections 104(c) and 106(c/p>

5. Section 104(b).

6. Sections 106.

7. Section 108(k).

8. Sections 104(c)-(d), 105, 106(b).

9. Section 105(a)(1).

10. Section 105(a)(2).

11. Section 105(c).

12. Section 105(c)(1)(E) (procedures established by Secretary of DHS may not limit or prohibit (i) reporting to law enforcement agencies known or suspected criminal activity, "including cyber threat indicators or defensive measures shared with a Federal entity in furtherance of opening a Federal law enforcement investigation," (ii) legally compelled participation in a federal investigation; or (iii) providing cyber threat indicators or defensive measures to government agencies as part of a contractual requirement).

13. Section 104(d)(2).

14. Section 105(a)(4).

15. Section 105(d).

16. Section 103.

17. Section 223(a)(6) (amending Subtitle C of title II of the Homeland Security Act of 2002 to add Section 230).

18. Section 405.

19. White House, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (May 2011), available here.

20. Section 402.

21. Section 403.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions