Sec. 245(a): any communication, record, or other information…for the purpose of protecting an information system from cybersecurity threats or mitigating such threats.

Sec. 242(8) Defines cybersecurity threat as: any action that may result in unauthorized access to, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information stored on or transiting an information system, or unauthorized exfiltration of information stored on or transiting an information system.

Sec. 103(a): cyber threat indicators.

Sec. 102(2) defines cyber threat indicators as: information necessary to indicate, describe or identify the following:

(i)Malicious reconnaissance, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat;(ii)A method of defeating a technical or operational control; (iii)A technical vulnerability;(iv)A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system inadvertently to enable the defeat of a technical control or an operational control; (v)Malicious cyber command and control; (vi)Any combination of the above.

Sec. 3(a):Cyber threat intelligence

Sec. 3(g)(5)defines cyber threat intelligence as: intelligence in the possession of an element of the intelligence community directly pertaining to— "(i) a vulnerability of a system or network of a government or private entity or utility; "(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network; "(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or "(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility."

(B) EXCLUSION.—Such term does not include intelligence pertaining to efforts to gain unauthorized access to a system or network of a government or private entity or utility that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.

Sec. 4 (c) cyber threat indicators

Sec. 2(6) defines cyber threat indicator as : information that is necessary to describe or identify—

(A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
(B) a method of defeating a security control or exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
(H) any combination thereof.

Sec. 245(a)(1): A nonfederal governmental or private entity, or any officer, employee, or agent thereof, that lawfully intercepts, acquires, or otherwise obtains or possesses any communication, record, or other information, notwithstanding any other provision of law and consistent with section 248(a), may disclose that communication, record, or other information to the cybersecurity center designated by the Secretary under section 243(c)(5) for the purpose of protecting an information system from cybersecurity threats or mitigating such threats...

Sec. 245(a)(2):An agency, or any officer, employee, or agent thereof, that lawfully intercepts, acquires, or otherwise obtains or possesses any communication, record, or other information from its electronic communications system, notwithstanding any other provision of law and consistent with section 248(b), may disclose that communication, record, or other information to— "(A) another component, officer, employee, or agent of that agency with cybersecurity responsibilities; "(B) the cybersecurity center designated by the Secretary under section 243(c)(5); or "(C) a private entity that is acting as a provider of electronic communication services, remote computing service, or cybersecurity services to the agency”

Sec. 103(a): Notwithstanding any other provision of law, any private entity may disclose lawfully obtained cyber threat indicators to private information sharing and analysis organizations, and the National Cybersecurity and Communications Integration Center, consistent with this Act.

Sec. 103(b): Any entity may disclose lawfully obtained cyber threat indicators to a Federal entity for investigative purposes consistent with its lawful authorities.

Sec. 3(a): The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities and to encourage the sharing of such intelligence… classified cyber threat intelligence may only be— "(A) shared by an element of the intelligence community with—"(i) a certified entity; or "(ii) a person with an appropriate security clearance to receive such cyber threat intelligence.

Sec. 3(b)(1)(A) CYBERSECURITY PROVIDERS.—Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes— …(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the entities of the Department of Homeland Security and the Department of Justice designated under paragraphs (1) and (2) of section 2(b) of the Cyber Intelligence Sharing and Protection Act.

Sec. 3(b)(1)(B) SELF-PROTECTED ENTITIES.—Notwithstanding any other provision of law, a self- protected entity may, for cybersecurity purposes— …"(ii) share such cyber threat information with any other entity, including the entities of the Department of Homeland Security and the Department of Justice designated under paragraphs (1) and (2) of section 2(b) of the Cyber Intelligence Sharing and Protection Act.

Sec. 4(c)(1) IN GENERAL.—Except as provided in paragraph (2) and notwithstanding any other provision of law, an entity may, for the purposes permitted under this Act and consistent with the protection of classified information, share with, or receive from, any other entity or the Federal Government a cyber threat indicator or defensive measure.

Sec. 245(a)(1): Reasonable efforts are undertaken to remove information that can be used to identify specific persons unrelated to the cybersecurity threat before any disclosure.

Sec. 201(a)(2)(B): Reasonable efforts have been made to remove information that can be used to identify specific persons reasonably believed to be unrelated to the cyber threat.

Sec.3(b)(2)(A):Cyber threat information…
(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self- protected entity authorizing such sharing, including appropriate anonymization or minimization of such information and excluding limiting a department or agency of the Federal Government from sharing such information with another department or agency of the Federal Government in accordance with this section

Sec. 4(d)(2): REMOVAL OF CERTAIN PERSONAL INFORMATION.—An entity sharing a cyber threat indicator pursuant to this Act shall, prior to such sharing—

(A) review such cyber threat indicator to assess whether such cyber threat indicator contains any information that the entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat and remove such information; or
(B) implement and utilize a technical capability configured to remove any information contained within such indicator that the entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat.

Sec. 248(a):(a) In consultation with privacy and civil liberties experts, the Secretary shall develop and periodically review policies and procedures governing the acquisition, interception, retention, use, and disclosure of communications, records, system traffic, or other information associated with specific persons by officers, employees, and agents of the Department obtained in connection with activities authorized in this subtitle. The policies and procedures developed under this subsection shall be reviewed and approved by the Attorney General. Such policies and procedures shall— "(1) minimize the impact on privacy and civil liberties, consistent with the need to protect federal systems and critical information infrastructure from cybersecurity threats and mitigate cybersecurity threats; "(2) reasonably limit the acquisition, interception, retention, use and disclosure of communications, records, system traffic, or other information associated with specific persons consistent with the need to carry out the responsibilities of this subtitle, including establishing a process for the timely destruction on recognition of communications, records, system traffic or other information that is acquired or intercepted pursuant to this section that does not reasonably appear to be related to protecting federal systems and critical information infrastructure from cybersecurity threats and mitigating cybersecurity threats; "(3) include requirements to safeguard communications, records, system traffic or other information that can be used to identify specific persons from unauthorized access or acquisition; and “(4) protect the confidentiality of disclosed communications, records, system traffic, or other information associated with specific persons to the greatest extent practicable and require recipients of such information to be informed that the communications, records, system traffic or other information disclosed may only be used for protecting information systems against cybersecurity threats, mitigating against cybersecurity threats, or law enforcement purposes when the information is evidence of a crime that has been, is being, or is about to be committed, as specified by the Secretary.

Sec. 107(a):The Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the Department of Homeland Security and Department of Justice, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, the heads of sector-specific agencies and other appropriate agencies, and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review policies and procedures governing the receipt, retention, use, and disclosure of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act. Such policies and procedures shall— (1) reasonably limit the acquisition, interception, retention, use and disclosure of cyber threat indicators that are reasonably likely to identify specific persons, consistent with the need to carry out the responsibilities of this Act, including by- (A) establishing a process for the timely destruction of information that is known not to be directly related to a purpose or use authorized under the Act; (B) establishing a process to anonymize and safeguard information received and disclosed, that can be used to identify specific persons unrelated to a cyber threat.

Sec. 2(b)(5)(A):The Secretary of Homeland Security, the Attorney General, the Director of National Intelligence, and the Secretary of Defense shall jointly establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with section 1104(b) of the National Security Act of 1947, as added by section 3(a) of this Act. Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner— (i) minimize the impact on privacy and civil liberties; (ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner; (iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition; (iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and (v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.

ec. 5(b)(1) GUIDELINES OF ATTORNEY GENERAL.—Not later than 60 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee–1), develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.

(2) FINAL GUIDELINES.—
(A) IN GENERAL.—Not later than 180 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee–1) and such private entities with industry expertise as the Attorney General considers relevant, promulgate final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.

Sec. 5(b)(3) CONTENT--The guidelines required by paragraphs (1) and (2) shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats—
(A) limit the impact on privacy and civil liberties of activities by the Federal Government under this Act;
(B) limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of or identifying specific persons, including by establishing—
(i) a process for the timely destruction of such information that is known not to be directly related to uses authorized under this Act; and
(ii) specific limitations on the length of any period in which a cyber threat indicator may be retained;
(C) include requirements to safeguard cyber threat indicators containing personal information of or identifying specific persons from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;
(D) include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;
(E) protect the confidentiality of cyber threat indicators containing personal information of or identifying specific persons to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this Act; and
(F) include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.

Sec. 248(a)(4):…communications, records, system traffic or other information disclosed may only be used for…law enforcement purposes when the information is evidence of a crime that has been, is being, or is about to be committed, as specified by the Secretary.

Sec. 107(a)(2):permit law enforcement use of cyber threat indicators received by a government entity pursuant to Section 105, only to investigate, prosecute, disrupt, or otherwise respond to- (A) a computer crime; (B) a threat of death or serious bodily harm; (C) a serious threat to a minor, including sexual exploitation and threats to physical safety; or (D) an attempt or conspiracy to commit an offense described in (A) – (C).

Sec. 3(c)(1): The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)— …"(B) for the investigation and prosecution of cybersecurity crimes; "(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or "(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in section 2258A(a)(2) of title, United States 18 Code.

Sec. 4(d)(4): LAW ENFORCEMENT USE.—
(i) PRIOR WRITTEN CONSENT.—Except as provided in clause (ii), a cyber threat indicator shared with a State, tribal, or local government under this section may, with the prior written consent of the entity sharing such indicator, be used by a State, tribal, or local government for the purpose of preventing, investigating, or prosecuting any of the offenses described in section 5(d)(5)(A)(vi).
(ii) ORAL CONSENT.—If exigent circumstances prevent obtaining written consent under clause (i), such consent may be provided orally with subsequent documentation of the consent.

Sec.5(d)(5)(A) AUTHORIZED ACTIVITIES.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—
(i) a cybersecurity purpose;
(ii) the purpose of identifying a cybersecurity threat, including the source of such cybersecurity threat, or a security vulnerability;
(iii) the purpose of identifying a cybersecurity threat involving the use of an information system by a foreign adversary or terrorist;
(iv) the purpose of responding to, or otherwise preventing or mitigating, an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
(v) the purpose of responding to, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or
(vi) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iv) or any of the offenses listed in—
(I) section 3559(c)(2)(F) of title 18, United States Code (relating to serious violent felonies);
(II) sections 1028 through 1030 of such title (relating to fraud and identity theft);
(III) chapter 37 of such title (relating to espionage and censorship); and
(IV) chapter 90 of such title (relating to protection of trade secrets).

Sec. 246: No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any nonfederal governmental or private entity, or any officer, employee, or agent thereof, for—
"(1) the disclosure of any communication, record, or other information authorized by this subtitle; or
"(2) any assistance provided to the Department pursuant to section 244(e), and any such action shall be dismissed promptly.
"(b) Where a civil or criminal cause of action is not barred under subsection (a), a good faith reliance by any person on a legislative authorization, a statutory authorization, or a good faith determination that this subtitle permitted the conduct complained of, is a complete defense against any civil or criminal action brought under this subtitle or any other law.

Sec. 106(a):Liability for Disclosure of Cyber Threat Indicators - No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity for the voluntary disclosure or receipt of a lawfully obtained cyber threat indicator consistent with the requirements of this Act, and that the entity was not otherwise required to disclose, to or from- (1) the National Cybersecurity and Communications Integration Center, pursuant to Section 105; or (2) a private information sharing and analysis organization, provided such organization maintains a publicly-available self-certification that it has adopted the best practices in accordance with those identified or developed pursuant to Section 104.

Sec. 3 (b)(3):No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith—
"(i) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or "(ii) for decisions made for cybersecurity purposes and based on cyber threat information identified, obtained, or shared under this section.
"(B) LACK OF GOOD FAITH.—For purposes of the exemption from liability under sub- paragraph (A), a lack of good faith includes any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility.

Sec. 6 PROTECTION FROM LIABILITY.
(a) Monitoring Of Information Systems.—No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of information systems and information under section 4(a) that is conducted in accordance with this Act.
(b) Sharing Or Receipt Of Cyber Threat Indicators.—No cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators or defensive measures under section 4(c) if—
(1) such sharing or receipt is conducted in accordance with this Act; and
(2) in a case in which a cyber threat indicator or defensive measure is shared with the Federal Government, the cyber threat indicator or defensive measure is shared in a manner that is consistent with section 5(c)(1)(B) and the sharing or receipt, as the case may be, occurs after the earlier of—
(A) the date on which the interim policies and procedures are submitted to Congress under section 5(a)(1); or
(B) the date that is 60 days after the date of the enactment of this Act.
(c) Construction.—Nothing in this section shall be construed—
(1) to require dismissal of a cause of action against an entity that has engaged in gross negligence or willful misconduct in the course of conducting activities authorized by this Act; or
(2) to undermine or limit the availability of otherwise applicable common law or statutory defenses.