Cybersecurity Information Sharing Act

CISA was passed in October 2015. The law is considered significant as it provides legal boundaries for the sharing of sensitive cybersecurity information within and between the private and government sectors. The law solves a core problem that organizations are reluctant to share cybersecurity information that may expose them to civil or criminal liability, embarrassment, and loss of trust. This is especially true for companies that just suffered a cybersecurity data breach.

The objective of CISA is to improve cybersecurity in the United States through sharing of information about cybersecurity threats and breaches as well as for other purposes. The law authorizes private companies to share cybersecurity threat information for “cybersecurity purposes” with the federal government and with other private entities. A “cybersecurity purpose” is defined as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.”

CISA contains four titles:

• Title I establishes a centralized mechanism for cybersecurity information sharing.

• Title II instructs DHS to take measures designed to strengthen cybersecurity in the federal government and at federal agencies as well as to facilitate the implementation of Title I.

• Title III calls for a cybersecurity-focused assessment of the federal workforce.

• Title IV provides for other measures intended to identify and address threats to critical information

Key components of the act are as follows:

• It limits the use of shared information by federal and state governments. The permissible purposes are to respond to, prevent, mitigate, investigate, or prosecute events that are considered a “threat of serious economic harm”.

• It does not create a duty to share. CISA does not require private companies to share sensitive information. In fact, the act expressly prohibits the federal government from attempting to coerce sharing by withholding cybersecurity information or other benefits such as awarding government contracts.

• It provides authorization to use defensive measures. CISA also authorizes private entities to use defensive measures to protect information systems and data. However, the CISA expressly prohibits private companies from attacking or “hacking back.”

• Liability protections require sharing “in accordance” with CISA. To benefit from CISA’s safe harbor from civil liability, antitrust, private entities’ sharing activity must be “conducted in accordance” with CISA rules.

• Communications with regulatory authorities are permitted. Communication with regulators does not result in loss of CISA’s liability protections.