The language of the Act emphasizes how voluntary involvement in the information-sharing system is and clearly forbids any government benefit from being contingent upon participation. The Act does note, though, that sometimes a contract or shifting business standards make participation necessary.

Public-Private Partnerships: Sharing Cyber Threat Information Under the Act

To facilitate information sharing between public and private organizations on cyber dangers, the Cybersecurity Act creates a gateway at the Department of Homeland Security (DHS) and its National Cybersecurity & Communications Integration Center (NCCIC). Furthermore, it makes clear the legal obligation of the NCCIC to evaluate and deal with cybersecurity risks and warning signs. The Act allows the president to allocate, but not to the Department of Defense, the responsibility of gathering and disseminating cybersecurity threat information to an organization other than NCCIC (even outside the DHS).

The measure allows the DHS to use its discretion when disclosing cyber-threat information to other agencies or the commercial sector through the portal. Still, steps have to be taken by the Department of Homeland Security (DHS) to ensure that personal data is deleted. The Act also protects shared cyber-threat indicators from being made public in accordance with the Freedom of Information Act (FOIA) and other legislation that advance openness and transparency in government.

Protecting Personal Information: Strict Requirements for Data Removal

Requirements for Data Removal

There are real privacy protections in the Act, despite worries that it would provide yet another way for government monitoring. The Act requires private entities to delete personal information before sharing. It mandates that the DHS erase personal data before making any further disclosures under particular circumstances where risk indications may be combined with personal information. The Cybersecurity Act lays down restrictions on the use of cyber-threat information, provides exemptions from FOIA disclosures, and creates requirements to safeguard threat information, including personal data.

Private firms are required under Section 104(d)(2) to identify and remove personal information before disclosing information under the Act that is not immediately related to a cybersecurity issue. Furthermore, Section 103(b)(1)(E) requires the Federal entity to create procedures for the identification and removal of data that is “not directly relevant to a cybersecurity threat” and that the Federal entity knows to be either personal information pertaining to a specific individual or information that can identify a specific individual. It also requires procedures to notify those whose personal information is discovered to have been shared illegally. Therefore, the Act creates a process that entails two rounds of meticulous review and notification to avoid the disclosure of personal data that is not necessary for cybersecurity goals.

The Act also lays out a number of monitoring procedures, one of which is the protection of privacy, which calls for the deletion of personal data. Within three years, the US Comptroller General must report the issue to Congress. The study is to assess the suitability of the laws, procedures, and norms related to civil liberties and privacy. part 107(c).

Beyond Passive Measures: The Act’s Authorization for Monitoring and Defense

Permissions to avoid, identify, examine, and lessen cybersecurity threats are covered under Section 104. According to the statement, private companies are permitted, with the right power and formal authorization, to monitor cybersecurity on their networks or those of others. Moreover, it provides that, as long as they have received sufficient authorization and written approval, private entities are free to use “defensive measures” to protect their rights and property and the information systems of other organizations.

Any action, device, procedure, signature, technique, or other measure implemented on an information system or the information stored, processed, or sent by it is referred to as a “defensive measure” in this broad and technology-agnostic way. These actions are meant to find, stop, or lessen the effects of a known or suspected cybersecurity threat or vulnerability.

Sub-paragraph A of section 102, paragraph 7. The phrase expressly covers any action that destroys, makes an information system unusable, obtains unlawful access to, or seriously damages information that is not within the control of the private company carrying out the activity. This likewise holds for any other organization for whom such acts are authorized. Section 102, paragraph 7, sub-paragraph B. The additional rights, if any, that the Act offers are not specified in its provisions. It is made very clear, therefore, that the rule does not aim to limit any lawful behavior. sections 104(a)(2)(B) and 104(b)(2)(B).

Limited Liability and Regulatory Protection: The Act’s Safe Harbor

The Cybersecurity Act provides significant liability protections to private-sector organizations. Section 106 of the law prohibits legal action for any behavior related to the exchange or reception of cyber-threat information, cybersecurity choices based on such information, and approved network surveillance. It is worth noting that these liability protections do not cover damages caused by a cyberattack, such as data breaches or lawsuits deriving from negligence or breach of contractual cybersecurity responsibilities. Furthermore, it appears that the principles fighting against liability do not apply in cases where personal information is disclosed in a way that violates legal privacy obligations. The clauses only address “sharing or receiving of information” that is done legitimately. Section 106(b)(1), noted above. The Cybersecurity Act protects against the potential of private claims. It forbids federal and state governments from utilizing cyber-threat indicators produced by the private sector to control or enforce legal actions on private sector enterprises.

The Cybersecurity Act explicitly states that there is no need to notify or act on cyber-threat indicators.

Collaboration for Healthcare Security: Task Force and Standards Development

Further provisions of the Cybersecurity Act require the Department of Health and Human Services (HHS) to form a task force devoted to cybersecurity in the healthcare industry. Reporting about cybersecurity challenges in the healthcare industry is the responsibility of this task group. They also provide HHS instructions to develop optional cybersecurity standards for healthcare data that comply with HIPAA and NIST. Crucially, a number of stakeholders—including HIPAA-covered businesses, patient advocates, providers of health information technology, and manufacturers of pharmaceuticals and devices—must be included in these rules.

A Time-Bound Approach: The Sunset Provision in the Cybersecurity Act

Although some important regulations regarding information sharing will expire on September 30, 2025, they will still be applicable to activities made before that date.


The 2015 Cybersecurity Act marks a pivotal step in bolstering national cybersecurity defenses through enhanced information sharing between private and public sectors. By establishing robust frameworks for collaboration, the Act aims to mitigate cyber threats while upholding privacy and civil liberties. It empowers entities to monitor and protect their networks, encourages the development of cybersecurity standards, and provides liability protections to foster a cooperative cybersecurity environment. As cybersecurity threats evolve, continuous evaluation and adaptation of such legislation will be crucial. Future legislative efforts will likely focus on refining these measures to address emerging challenges and enhance global cybersecurity resilience.

Suggested for you