Full Report
President Barack Obama is planning to push legislation which would protect companies from lawsuits for sharing cyberthreat data with the government, reports the Washington Post.
Analysis Summary
# Regulation/Compliance: Proposed US Legislation for Cyber Threat Information Sharing Protection
## Overview
This refers to proposed legislation by the U.S. President (at the time) intended to protect companies from legal liability when sharing cyber threat data with the government. It is part of a broader focus on enhancing national cybersecurity, data breach notification, and consumer privacy rights.
## Key Details
- Issuing Authority: Proposed by the U.S. Executive Branch (President Barack Obama).
- Effective Date: Not applicable, as this is proposed legislation (as of the article date, January 2015).
- Jurisdiction: United States federal jurisdiction, affecting entities operating within the U.S. or handling U.S. data.
- Status: Proposed.
## Requirements
### Mandatory Requirements (Implied by the legislative goal)
1. **Data Sharing with Government:** Entities sharing cyber threat information with government entities.
2. **Liability Protection:** The core mandate is to establish legal protections (shielding from lawsuits) for entities that voluntarily share this threat data.
### Recommended Practices
1. **Data Breach Notification:** Companies are expected to adhere to mandates requiring revelation of data breaches within 30 days (mentioned as a related, separate focus).
2. **Criminalization of Botnets:** Supporting actions to make the sale of botnets and stolen U.S. financial data illegal.
3. **Consumer Privacy Rights:** Implementing baseline protections on the use and holding of consumer data (Consumer Privacy Bill of Rights).
4. **Free Credit Score Access:** Providing customers access to their credit scores as an early fraud warning system.
## Affected Organizations
- Industries: All industries involved in sharing cyber threat intelligence with federal agencies.
- Organization Size: Not specified, likely applies broadly to any organization sharing data.
- Geographic Scope: United States.
## Compliance Timeline
- **Proposed Future Date (Related):** 30-day limit for revealing data breaches (implied standard linked to the legislative push).
- **Final deadline:** N/A (Dependent on successful passage of the proposed legislation).
## Implementation Guidance
### Assessment Phase
- *How to assess current state:* Identify current internal processes for identifying, aggregating, and sharing threat intelligence relevant to national security or critical infrastructure with federal partners.
### Implementation Phase
- *Steps to achieve compliance (upon passage):* Develop formal procedures for sharing threat data that fully leverage the newly established legal liability protections. Adapt processes to comply with mandatory breach notification timelines (if enacted).
### Validation Phase
- *How to verify compliance:* Require legal review of information sharing agreements and outgoing threat intelligence reports to ensure adherence to the standards set by the new liability shield legislation.
## Technical Requirements
The article does not specify direct technical controls, but the context implies a need for:
1. Mechanisms for securely transmitting cyber threat data to designated government centers (like the National Cybersecurity and Communications Integration Center).
2. Robust internal controls necessary to identify, characterize, and track cyber threats prior to sharing.
## Penalties & Enforcement
- **Fines:** Not specified for the data sharing protection legislation itself. However, related proposals suggest illegalizing the sale of botnets and stolen data, which would incur existing or new criminal penalties.
- **Other Consequences:** The primary consequence addressed is the *removal* of potential legal risks (lawsuits) for sharing data.
- **Enforcement:** Enforcement would involve the relevant federal agencies responsible for national security and law enforcement, particularly concerning the criminalization of cyber tools and stolen data.
## Related Standards
- The proposed legislation aims to create a specific U.S. statutory framework for information sharing, which would potentially interact with existing frameworks for threat intelligence sharing (e.g., ISACs, ISAOs).
- A **Consumer Privacy Bill of Rights** is mentioned, suggesting alignment or harmonization with broader privacy regulations (though specific standards like NIST or ISO are not explicitly linked to this proposal).
## Resources
- Official Documentation: Washington Post report on the proposed legislation (Original source link provided in summary footnote).
- Guidance Documents: White House statements regarding the President's cybersecurity and privacy agenda.
- Tools: Not specified.
## Practical Recommendations
1. **Monitor Legislative Status:** Organizations should closely track the progression of this proposed legislation to understand when liability protections become active.
2. **Review Existing Sharing Agreements:** Prepare to integrate new liability stipulations into existing Information Sharing and Analysis Centers (ISAC) participation or government MOUs.
3. **Strengthen Breach Response:** Align incident response plans to meet any new mandated deadlines for breach notification (30 days).
4. **Address Privacy Gaps:** Begin preparation for implementing baseline protections outlined in the proposed Consumer Privacy Bill of Rights.