The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is set to expire on September 30, alongside a potential government shutdown. (While an extension is included in the House-passed continuing resolution, that bill faces an uncertain fate in the Senate.) This will eliminate important legal protections that undergird cyber threat information sharing and other activities that protect Americans from increasingly sophisticated cyber threats.
The following provides information about the protections included in the current law and things that companies should consider if in fact the legislation sunsets.
Background
Passed in 2015, CISA 2015 was designed to enhance cybersecurity protections. It is codified at 6 U.S.C. § 1501 et seq. and explicitly authorizes private entities to take certain defensive measures to stop cyber attacks; to monitor their own and customers' networks for cyber threats, upon written authorization and consent; and share cyber threat indicators and defensive measures with one another and the government, in order to support rapid detection of and responses to emerging threats.
In addition to explicitly authorizing such information sharing, the statute places limits on how shared information can be used and provides several protections against liability and unwanted disclosures. The protections are core elements of an effective information-sharing regime and include the following:
- Exemptions from anti-trust liability (6 U.S.C. § 1503(e))
- Exemptions from disclosure under FOIA and state sunshine laws (6 U.S.C. §§ 1503(d)(4); 1504(d)(3))
- Continued applicability of privileges and protections, including trade secret protections for shared information (6 U.S.C. § 1504(d)(1))
- Continued protection of shared information as the commercial, financial, and proprietary information of a non-federal entity when so designated (6 U.S.C. § 1504(d)(2))
- Exemptions from rules limiting ex parte communications with federal officials (6 U.S.C. § 1504(d)(4)) and
- Broad liability protections for information sharing taken consistent with the law (5 U.S.C. § 1505)
The statute puts in place several limits on what the federal government can do with shared information—to include required privacy protections and limits on the use of shared information for regulatory purposes or enforcement actions.
What Comes Next
Extension of CISA 2015 is supported by the Trump administration, industry, and members of Congress who have been working on a bipartisan basis to ensure key information sharing that is critical to enhancing cybersecurity continues. We remain hopeful, as a result, that any lapse will be short-term.
That said, there is a risk that even during a short lapse information sharing will stall. Such sharing remains possible, and can and should continue to ensure visibility into emerging threats. Doing so will require new agreements and additional legal review. Among the things for companies to consider:
- Is there an information-sharing agreement in place to ensure there are appropriate protections for shared information, including how it will be used?
- Does the information include attorney-client protected communications or other protected information?
- If sharing with the federal government, is it free of confidential or other sensitive information that would raise concerns if it were to be subsequently disclosed pursuant to FOIA processes or sunshine laws?
- What internal systems, including legal reviews, are in place prior to such information sharing in order to protect privileges and other sensitive information?
Venable has deep expertise in these issues. We are available to help clients understand the implications of a lapse of CISA 2015, the kinds of information-sharing agreements and processes needed, and additional steps that entities should consider in order to protect themselves from liability and other related risks.
For further information, contact Jennifer Daskal, John Banghart, or Caitlin Clarke, or reach out to any of the professionals on our Cybersecurity Services team.