The ISSA Journal recently included an article, Sharing Cyber Threat Information: A Legal Perspective, authored by Utsav Mathur and I (David Navetta) concerning potential legal risks associated with intra-industry sharing of cyber-threat information. The article summarizes recent efforts by the US government to encourage more information sharing concerning cyber threats and data-security incidents within industries. Recent Department of Justice and Federal Trade Commission policy statements provide guidance concerning the antitrust legal risks associated with such sharing and how companies may reduce that risk. In addition, a DOJ press release from October 2014 addressed similar issues and cleared the way for one online cyber intelligence data-sharing platform. Finally, the article goes into some of the practical legal risks companies may face when participating in a cyber-threat information exchange, including risk related to corporate financial disclosures of cyber risk, establishing industry standards through information sharing and incomplete, inaccurate or fraudulent information in cyber-threat information exchanges.
