Congress passes cybersecurity legislation

Posted on 12/29/2015 at 08:00 AM by John Lande

In the bowels of the omnibus spending bill that President Obama signed into law on December 18, 2015, Congress tucked a new federal law intended to encourage sharing of cyber-threat information. The Cybersecurity Act of 2015 is a reconciliation of two separate bills that had been working their way through the House of Representatives and Senate.

This blog previously covered both bills from the House of Representatives and the Senate. The Senate and House bills were largely the same with one significant difference that this blog explored in detail. The House version of the legislation would have shielded from liability any private company that received information about a cyber-threat but failed to take action based on that information. The Senate version of the bill removed that liability shield. The Cybersecurity Act of 2015 includes liability protection more like the Senate version of the Bill. Private entities will be shielded from liability for monitoring for cyber-threats and sharing information about cyber-threats, so long as it is done in accordance with the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 also explicitly states that it does not create any duty to share cyber-threat information, and it does not create a duty to warn or act based on the receipt of cyber-threat information. Even though the Cybersecurity Act of 2015 does not affirmatively create any legal duty, it also does not displace any existing common law or statutory liability that may exist for cyber-attacks.

Congress's decision to not displace any existing law regarding liability for cyber-attacks is significant. As this blog has previously noted, there is law currently developing that holds retailers, such as Target, liable to financial institutions for the retailer's failure to adequately secure the retailer's systems. States and courts will still have the freedom to develop rules governing the sharing of responsibility for damages arising from cyber-attacks. Within 90 days of December 18, 2015, the Department of Homeland Security, in conjunction with other federal agencies, is required to develop systems to receive cyber-threat indicators from private entities. The law envisions that there will be automatic information sharing between federal and private entities that will help with the development of defensive measures.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.

There are no comments yet.
Add Comment

* Indicates a required field