Cyber Bill passed into law as part of Omnibus Spending Package

The Cybersecurity Act of 2015 (“Act”), which was added to the fiscal 2016 appropriations measure, was signed into law on December 18, 2015. The Act includes, among other things, incentives for companies to participate in sharing information about data threats with the government and among themselves. Among these incentives is liability protection for those who participate in the information sharing process, such as protection against lawsuits for sharing information and violations of the anti-trust laws. The information sharing is voluntary, and the Act does not create new regulatory authority.

The Act requires that if data is shared regarding a threat, personal information unrelated to the cyber threat be removed before sharing, and security controls must be adopted to prevent unauthorized access to information that is shared. Much of the implementation of the Act will be carried out by the Department of Homeland Security (“DHS”), and DHS will be required to conduct a second scrub of the data to remove any remaining personal information. DHS will host the “portal” where the information will be shared, but it must certify that its “portal” is capable of accepting the data. If it cannot make this certification, the Act gives the President the ability to designate “portals” at other agencies.

The Act sunsets in 10 years.