114 S4985 IS: Cryptocurrency Cybersecurity Information Sharing Act U.S. Senate 2022-09-28 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

II117th CONGRESS2d SessionS. 4985IN THE SENATE OF THE UNITED STATESSeptember 28, 2022Mrs. Blackburn (for herself and Ms. Lummis) introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban AffairsA BILLTo amend the Cybersecurity Information Sharing Act of 2015 to include voluntary information sharing of cyber threat indicators among cryptocurrency companies, and for other purposes.

1.

Short title

This Act may be cited as the Cryptocurrency Cybersecurity Information Sharing Act.

2.

Sharing of cyber threat indicators by covered companies

(a)

In general

The Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.) is amended—(1)in section 102(15)(A) (6 U.S.C. 1501(15)(A)) by inserting covered company (as defined in section 110), after cooperative,;(2)by redesignating sections 110 and 111 (6 U.S.C. 1509, 1510) as sections 111 and 112, respectively; and(3)by inserting after section 109 (6 U.S.C. 1508) the following:

110.

Sharing of cyber threat indicators by covered companies

(a)

Definitions

In this section:(1)

Covered company

(A)

In general

Subject to subparagraph (B), the term covered company means an entity—(i)that is—(I)engaged in the business of validating distributed ledger technology transactions;(II)engaged in the business of developing digital assets or the corresponding protocols for use of digital assets by other persons;(III)an association of entities that manage digital assets or distributed ledger technologies; or(IV)a commercial general liability insurance provider or property insurance provider offering products designed to mitigate losses from a variety of cyber incidents, including—(aa)data breaches;(bb)ransomware attacks;(cc)business interruption; and(dd)network damage; and(ii)that shares or receives information under this section.(B)

Money services businesses and financial institutions

For purposes of paragraphs (1), (2), and (3) of subsection (b), the term covered company includes an entity that is a money services business, or that otherwise is a financial institution, as defined in section 5312 of title 31, United States Code, for purposes of digital asset activity engaged in by the entity. (2)

Digital asset

The term digital asset means a natively electronic asset that—(A)confers economic, proprietary, or access rights or powers; and (B)is recorded using cryptographically secured distributed ledger technology, or any similar analogue.(3)

Distributed ledger technology

The term distributed ledger technology means technology that enables the operation and use of a ledger that—(A)is shared across a set of distributed nodes that participate in a network and store a complete or partial replica of the ledger;(B)is synchronized between the nodes;(C)has data appended to the ledger by following the specified consensus mechanism of the ledger;(D)may be accessible to anyone or restricted to a subset of participants; and(E)may require participants to have authorization to perform certain actions or require no authorization. (b)

Voluntary information sharing among covered companies

(1)

In general

Subject to paragraphs (2), (3), and (4), a covered company may, under the protection of the safe harbor from liability described in subsection (d), transmit, receive, or otherwise share information with any other covered company regarding individuals, entities, organizations, and countries for purposes of identifying and, as appropriate, reporting activities that the covered company suspects may involve possible cyber threat indicators.(2)

Information sharing between covered companies

(A)

Notice requirement

(i)

In general

A covered company that intends to share information as described in paragraph (1) shall submit a notice of intent to the Financial Crimes Enforcement Network and the Cybersecurity and Infrastructure Security Agency, which shall contain, at a minimum, a list of each other company the covered company intends to share information with.(ii)

Effective period

Each notice provided under clause (i) shall be effective for the 1-year period beginning on the date of the notice.(iii)

Additional notices

Upon expiration of the 1-year period described in subclause (ii), a covered company shall submit an additional notice of intent at the beginning of each year during which the covered company intends to share information as described in paragraph (1).(iv)

List of covered companies that have submitted notice

The Financial Crimes Enforcement Network shall periodically make available a list of covered companies that have submitted a notice under this subparagraph.(B)

Verification requirement

Prior to sharing information as described in paragraph (1), a covered company shall take reasonable steps to verify that the company with which the covered company intends to share information is listed in a notice required under subparagraph (A).(3)

Protection and use of information by covered companies

(A)

Purpose

Information received by a covered company under this section may not be used for any purpose other than—(i)identifying and, as appropriate, reporting on cyber threat indicators; or(ii)assisting the covered company in complying with any requirement of this title.(B)

Procedures for protection of information

Each covered company that engages in the sharing of information under this section shall maintain adequate procedures to protect the security and confidentiality of the information in accordance with the policies and guidelines established under subsection (c).(4)

Reporting requirements for covered companies

(A)

Cybersecurity threat information

A covered company that identifies cybersecurity threat information requiring immediate attention, such as suspected terrorist activity, shall, as soon as practicable but not later than 36 hours after identifying the information—(i)notify an appropriate law enforcement authority and the Cybersecurity and Infrastructure Security Agency Incident Reporting System; and(ii)comply with any other Federal requirements for reporting suspicious activity.(B)

Suspicious activity

(i)

Voluntary reporting to federal agencies

A covered company may voluntarily report suspicious activity to the Financial Crimes Enforcement Network and the Cybersecurity and Infrastructure Security Agency under this section.(ii)

Rule of construction

Nothing in this subparagraph shall be construed to—(I)modify the requirements for reporting suspicious activity if a covered company is subject to such regulations; or(II)create new suspicious activity reporting requirements for a covered company that is not currently subject to such a regulation.(C)

Exemption from disclosure

Information shared under this paragraph shall be exempt from disclosure under any provision of State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records, in accordance with section 104(d)(4)(B).(c)

Information sharing between covered companies and the Federal Government

(1)

Policies and procedures

(A)

In general

Not later than 180 days after the date of enactment of the Cryptocurrency Cybersecurity Information Sharing Act, the Director of the Financial Crimes Enforcement Network and the Director of the Cybersecurity and Infrastructure Security Agency shall, in consultation with the National Cyber Director and the heads of the appropriate Federal entities, jointly develop and make publicly available policies and procedures relating to the receipt by the Federal Government of cyber threat indicators shared by covered companies. (B)

Considerations

In developing the policies and procedures required under subparagraph (A), the Director of the Financial Crimes Enforcement Network and the Director of the Cybersecurity and Infrastructure Security Agency shall take into account the requirements described in subsections (a)(3) and (b)(3) of section 105.(C)

Compliance with similar procedures

In the case of a covered company that is required to comply with section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) and the Payment Card Industry Data Security Standard, and applicable regulations issued thereunder, the covered company shall be considered to be acting in compliance with the requirements developed under this subsection if the covered company applies the procedures required under such section 501 to information shared under this section.(2)

Guidelines

(A)

In general

Not later than 60 days after the date of enactment of the Cryptocurrency Cybersecurity Information Sharing Act, the Director of the Financial Crimes Enforcement Network and the Director of the Cybersecurity and Infrastructure Security Agency shall jointly develop and make publicly available guidance— (i)to assist covered companies and promote sharing of cyber threat indicators with Federal entities under this section; and(ii)relating to adequate procedures to protect the security and confidentiality of information shared under this section, as required under subsection (b)(3)(B).(B)

Contents

The guidelines required under subparagraph (A) shall include guidance relating to the following:(i)Identification of types of information that would qualify as a cyber threat indicator under this title and that would be unlikely to include information that—(I)is not directly related to a cybersecurity threat; and (II)is personal information of a specific individual or information that identifies a specific individual.(ii)Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.(iii)Such other matters as the Director of the Financial Crimes Enforcement Network and the Director of the Cybersecurity and Infrastructure Security Agency consider appropriate for entities sharing cyber threat indicators with Federal entities under this title.(3)

Compliance with the Paperwork Reduction Act

In establishing requirements under this subsection, the Secretary shall ensure that the requirements comply with chapter 35 of title 44, United States Code (commonly known as the “Paperwork Reduction Act”). (d)

Safe harbor from certain liability

The liability protections in section 106 shall not apply to a covered company to the extent the company fails to comply with paragraphs (2), (3), and (4) of subsection (b).(e)

Exemption from disclosure

In accordance with paragraphs (3) and (8) of section 502(e) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), if a covered company voluntarily shares information pursuant to this section, the covered company shall not be required to provide any affected consumer the notice required under section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803).

.(b)

Conforming amendment

The table of contents in section 1(b) of division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113; 129 Stat. 2935) is amended by striking the items relating to sections 110 and 111 and inserting the following: Sec. 110. Sharing of cyber threat indicators by covered companies.Sec. 111. Exception to limitation on authority of Secretary of Defense to disseminate certain information.Sec. 112. Effective period..