Information Sharing under the New Cybersecurity Law

The text of the the Cybersecurity Information Sharing Act (CISA) was incorporated by amendment into a consolidated spending bill in the House, and signed into law by President Obama in December. CISA authorizes entities to share certain information relating to data security threats and defenses with other companies and/or the federal government, so it can be used to help defend against or avoid cyber threats. The assumption is that rapid and widespread information sharing regarding cybersecurity threats will improve the ability of all organizations to respond.

Entities are authorized to share any “cyber threat indicator” or “defensive measure.” A cyber threat indicator includes information needed to “describe or identify” any one or combination of several defined items, including methods for defeating security and anomalous activities that may indicate a vulnerability or threat. “Defensive measures,” means techniques for detecting, preventing or mitigating a threat.

CISA has several express protections, including a specific antitrust exemption and a guarantee that sharing information with the federal government does not constitute a waiver of any privilege or legal protection that would otherwise apply. This expressly includes trade secret protection.

Under the section titled “Protection from Liability,” private entities are granted virtual immunity from lawsuits for behavior in accordance with the Act.

A company that discloses a breach under CISA may still face claims from the individuals whose data was disclosed, but claims of harm arising from sharing information with the federal government would be barred.