As a provider of managed security services or goods, it might come as a surprise to learn that prior to 2015, the ability to monitor and take defense measures on a customer’s network was fraught with liability risk. At that time, cybersecurity was conducted only as an exception to several criminal laws governing the interception and disclosure of wired and electronic communications. These criminal laws included the Electronic Communications Privacy Act,1 and the Foreign Intelligence Surveillance Act.2 Monitoring communications data inconsistent with the narrow exceptions in these laws, even when conducting defensive cybersecurity measures, was prohibited. Accordingly, the business model for selling cybersecurity services at that time was not viable. Congress reached this conclusion in the middle of the last decade, as did companies hoping to sell cybersecurity services, and the two came together to try to come up with a law that would encourage the widespread adoption of cybersecurity practices by explicitly authorizing network monitoring, and defensive measures, the cornerstones of your managed security products and services.
I had the privilege and honor to work with accomplished cybersecurity experts at my former company to put forward a model for such a law. We recommended to Congress that a civil, not a criminal law, be enacted to accomplish at least three things: (1) authorize the monitoring of one’s network communications and that of a customer with that customer’s consent for cybersecurity purposes, and obtain cybersecurity threat indicators, (2) permit private cybersecurity companies to take defense measures to stop such threats on one’s network and that of a customer with that customer’s consent, and (3) allow private cybersecurity companies to share threat indicators with other entities, including the government, under certain circumstances. We recommended that the law provide authorization to take those three actions, notwithstanding any provision in any other law, thus taking the practice of cybersecurity outside the ambit of criminal laws. We suggested that the law be written in technical terms, rather than descriptive, for cybersecurity professionals such as yourselves. Congress eventually accepted these and other suggestions and passed what became the Cybersecurity Information Sharing Act of 2015 (“CISA”).
Since then, much has been written about the information–sharing provisions of CISA. Indeed, the Department of Homeland Security and other government agencies have touted CISA’s information-sharing provisions to encourage private companies to lawfully share information with the government, and each other, about cyber threats.3
Precious little has been published about the provisions of the statute that authorizes the selling of managed security services, however. At Liff, Walsh & Simmons we want to change that and highlight how critical CISA’s authorization provisions are for the selling and purchase of managed security goods and services. CISA authorizes and provides a liability shield for private entities’ cybersecurity –related network monitoring, defensive measures, and information sharing. In other words, public policy is now encouraging, and by law protecting, cybersecurity business practices. Most importantly, if a company’s cybersecurity process and procedures are compliant with CISA, the company cannot be successfully sued for network monitoring.
Thus, if your business model includes, in whole or in part, selling cybersecurity services that include the monitoring of a customer’s communications and using derivative data from such communications, compliance with CISA can ensure a safe harbor for your business. Liff, Walsh & Simmons can help you draft your agreements with governments or private customers to ensure your activities are covered by the authorizations of CISA. We’ll help you train your workforce to develop and implement processes and procedures to stay within the broad boundaries of those authorizations. Contact our firm so we can look at your existing agreements and processes, and work with you on new ones so that you can protect your business model in the way the law intended. Just as importantly, you can continue to help safeguard the country and its economic engine by further developing and advancing the product line of cybersecurity services just as Congress hoped in passing the CISA.
1 Wiretap Act, 18 U.S.C. §§ 2510-2523; Pen Trap and Trace Act, 18 U.S.C. §§ 3121-3126; Stored Communications Act, 18 U.S.C. §§ 2701-2713.
2 Foreign Intelligence Surveillance Act, 50 U.S.C. §§ 1801-1813.
3 See, e.g., Department of Homeland Security and Department of Justice, Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (Oct. 2020), https://www.justice.gov/criminal/criminal-ccips/cybersecurity-unit; U.S. Dept. of Justice, Computer Crime & Intellectual Property Section, Criminal Division, Best Practices for Victim Response and Reporting of Cyber Incidents (Sep. 2018), https://www.justice.gov/criminal/criminal-ccips/cybersecurity-unit; U.S. Department of justice and Trustworthy Accountability Group, Best Practices for Partnering with Law enforcement (Jun. 2021), https://www.justice.gov/criminal/criminal-ccips/cybersecurity-unit.
********
Richard G. Vartain is Of Counsel at Liff, Walsh & Simmons and is the lead of firm’s Government Contracts practice area.
This alert provides general information and is not a full analysis of the matters discussed. It may not be relied on as legal advice. Richard Vartain, a Liff, Walsh & Simmons attorney licensed to practice law in Maryland, the District of Columbia, and Virginia contributed to the content of this article.
If you have questions on this article or another government contracts matter, our attorneys are here to help. Please contact Liff, Walsh & Simmons for assistance.
