Sec. 4. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats
822 words·~4 min read·
/bill/113/s/2588/pcs/section-4A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor— the information systems of such private entity; the information systems of another entity, upon written consent of such other entity; the information systems of a Federal entity, upon written consent of an authorized representative of the Federal entity; and information that is stored on, processed by, or transiting the information systems monitored by the private entity under this paragraph.
Nothing in this subsection shall be construed to authorize the monitoring of information systems other than as provided in this subsection or to limit otherwise lawful activity. Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate countermeasures that are applied to— the information systems of such private entity in order to protect the rights or property of the private entity; the information systems of another entity upon written consent of such entity to protect the rights or property of such entity; and the information systems of a Federal entity upon written consent of an authorized representative of such Federal entity to protect the rights or property of the Federal Government.
Nothing in this subsection shall be construed to authorize the use of countermeasures other than as provided in this subsection or to limit otherwise lawful activity. Notwithstanding any other provision of law, and for the purposes permitted under this Act, an entity may, consistent with the protection of classified information, share with, or receive from, any other entity or the Federal Government cyber threat indicators and countermeasures. Nothing in this subsection shall be construed to authorize the sharing or receiving of cyber threat indicators or countermeasures other than as provided in this subsection or to limit otherwise lawful activity.
An entity or Federal entity monitoring information systems, operating countermeasures, or providing or receiving cyber threat indicators or countermeasures under this section shall implement and utilize security controls to protect against unauthorized access to or acquisition of such cyber threat indicators or countermeasures. An entity or Federal entity sharing cyber threat indicators pursuant to this Act shall, prior to such sharing, remove any information contained within such indicators that the entity or Federal entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat.
Consistent with this Act, cyber threat indicators or countermeasures shared or received under this section may, for cybersecurity purposes— be used by an entity to monitor or operate countermeasures on its information systems, or the information systems of another entity or a Federal entity upon the written consent of that other entity or that Federal entity; and be otherwise used, retained, and further shared by an entity. Nothing in this paragraph shall be construed to authorize the use of cyber threat indicators or countermeasures other than as provided in this section.
Except as provided in clause (ii), cyber threat indicators shared with a State, tribal, or local department or agency under this section may, with the prior written consent of the entity sharing such indicators, be used by a State, tribal, or local department or agency for the purpose of preventing, investigating, or prosecuting a computer crime. If the need for immediate use prevents obtaining written consent, such consent may be provided orally with subsequent documentation of the consent.
Cyber threat indicators shared with a State, tribal, or local department or agency under this section shall be— deemed voluntarily shared information; and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records. Cyber threat indicators shared with a State, tribal, or local department or agency under this section may, consistent with State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
Such cyber threat indicators shall not otherwise be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity. Except as provided in section 8(e), it shall not be considered a violation of any provision of antitrust laws for two or more private entities to exchange or provide cyber threat indicators, or assistance relating to the prevention, investigation, or mitigation of cybersecurity threats, for cybersecurity purposes under this Act.
Paragraph
(1)shall apply only to information that is exchanged or assistance provided in order to assist with— facilitating the prevention, investigation, or mitigation of cybersecurity threats to information systems or information that is stored on, processed by, or transiting an information system; or communicating or disclosing cyber threat indicators to help prevent, investigate, or mitigate the effects of cybersecurity threats to information systems or information that is stored on, processed by, or transiting an information system. The sharing of cyber threat indicators with an entity under this Act shall not create a right or benefit to similar information by such entity or any other entity.