Sec. 104. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats
1,052 words·~5 min read·
/bill/114/s/754/es/section-104·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor— an information system of such private entity; an information system of another entity, upon the authorization and written consent of such other entity; an information system of a Federal entity, upon the authorization and written consent of an authorized representative of the Federal entity; and information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
Nothing in this subsection shall be construed— to authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this title; or to limit otherwise lawful activity. Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate a defensive measure that is applied to— an information system of such private entity in order to protect the rights or property of the private entity; an information system of another entity upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity; and an information system of a Federal entity upon written consent of an authorized representative of such Federal entity for operation of such defensive measure to protect the rights or property of the Federal Government.
Nothing in this subsection shall be construed— to authorize the use of a defensive measure other than as provided in this subsection; or to limit otherwise lawful activity. Except as provided in paragraph
(2)and notwithstanding any other provision of law, an entity may, for a cybersecurity purpose and consistent with the protection of classified information, share with, or receive from, any other entity or the Federal Government a cyber threat indicator or defensive measure. An entity receiving a cyber threat indicator or defensive measure from another entity or Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing entity or Federal entity. Nothing in this subsection shall be construed— to authorize the sharing or receiving of a cyber threat indicator or defensive measure other than as provided in this subsection; or to limit otherwise lawful activity. An entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure under this section shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure. An entity sharing a cyber threat indicator pursuant to this title shall, prior to such sharing— review such cyber threat indicator to assess whether such cyber threat indicator contains any information that the entity knows at the time of sharing to be personal information or information that identifies a specific person not directly related to a cybersecurity threat and remove such information; or implement and utilize a technical capability configured to remove any information contained within such indicator that the entity knows at the time of sharing to be personal information or information that identifies a specific person not directly related to a cybersecurity threat. Consistent with this title, a cyber threat indicator or defensive measure shared or received under this section may, for cybersecurity purposes— be used by an entity to monitor or operate a defensive measure that is applied to— an information system of the entity; or an information system of another entity or a Federal entity upon the written consent of that other entity or that Federal entity; and be otherwise used, retained, and further shared by an entity subject to— an otherwise lawful restriction placed by the sharing entity or Federal entity on such cyber threat indicator or defensive measure; or an otherwise applicable provision of law. Nothing in this paragraph shall be construed to authorize the use of a cyber threat indicator or defensive measure other than as provided in this section. Except as provided in clause (ii), a cyber threat indicator shared with a State, tribal, or local government under this section may, with the prior written consent of the entity sharing such indicator, be used by a State, tribal, or local government for the purpose of preventing, investigating, or prosecuting any of the offenses described in section 105(d)(5)(A)(vi). If exigent circumstances prevent obtaining written consent under clause (i), such consent may be provided orally with subsequent documentation of the consent. A cyber threat indicator shared with a State, tribal, or local government under this section shall be— deemed voluntarily shared information; and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records. Except as provided in clause (ii), a cyber threat indicator or defensive measure shared with a State, tribal, or local government under this title shall not be directly used by any State, tribal, or local government to regulate, including an enforcement action, the lawful activity of any entity, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator. A cyber threat indicator or defensive measure shared as described in clause
(i)may, consistent with a State, tribal, or local government regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of a regulation relating to such information systems. Except as provided in section 108(e), it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under this title. Paragraph
(1)shall apply only to information that is exchanged or assistance provided in order to assist with— facilitating the prevention, investigation, or mitigation of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system; or communicating or disclosing a cyber threat indicator to help prevent, investigate, or mitigate the effect of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system. The sharing of a cyber threat indicator with an entity under this title shall not create a right or benefit to similar information by such entity or any other entity.