On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were accompanied by Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015 (“Guidance”). These documents represent finalized versions of interim guidance and procedures which, as we have previously reported, were issued in February.
Overview of CISA
CISA, which Congress passed in December 2015, creates a voluntary cyberthreat information-sharing regime designed to improve cybersecurity in America. As outlined in Congress’ Joint Explanatory Statement to Accompany the Cybersecurity Act Of 2015, the goal of CISA is to “encourage public and private sector entities to share cyber threat information.” Although the sharing of cybersecurity information can conflict with corporate goals to protect intellectual property, CISA attempts to remove these barriers in order to foster greater cooperation and collaboration in the face of growing cybersecurity threats to national and economic security.
CISA creates a voluntary system of information sharing in which companies are authorized to share cyber threat indicators (“CTIs”) and defensive measures (“DMs”) with federal and state governments, as well as with other companies and private entities. To encourage cybersecurity information sharing, CISA provides a variety of legal protections to encourage sharing (e.g., an exemption from federal antitrust laws and federal and state freedom of information and similar laws, and a non-waiver of any applicable privilege).
However, in order to receive full immunity from government and private lawsuits and other claims that may arise out of CISA-compliant monitoring, the information-sharing must be done in a manner consistent with the means specified by DHS in its Guidance. For additional background on CISA, please see our prior coverage.
To date, however, companies have been reticent to participate in the voluntary information-sharing outlined in the CISA. Commentators have identified various reasons for this, including concerns about potential regulatory consequences, general distrust of the government, and complexity and confusion surrounding the interplay among CISA and federal regulations, to name a few. Additionally, the CISA protections apply only in the U.S., so companies that have global operations fear that cyber information shared under CISA could be acquired by individuals outside the US and might inform legal actions in other jurisdictions.
Final Guidance and Procedures
In the Guidance and Final Procedures, DHS provides detailed information about the process undertaken by DHS when it receives information, including both automated and manual review procedures. For example, the Final Guidance outlines specific procedures relating to the receipt, processing, and dissemination of CTIs submitted through both automated and non-automated means, as well as some of the logistical details and operational procedures for DHS’ processes.
On the same day that the updated Guidance and Final Procedures were released, members of the House Homeland Security Committee’s cybersecurity, infrastructure protection and security technologies subcommittee reportedly met with industry representatives to examine industry perspectives on the implementation of CISA. The consensus among industry representatives was that the clarity provided by the DHS Guidance and Final Procedures may generate additional interest regarding, and use of, the information-sharing contemplated by CISA. Industry representatives have suggested that the increased transparency in DHS’ process, coupled with its continued development of and investment in the information-sharing process, could potentially ease some of the industry concerns by giving organizations a better understanding of what is being asked of them and DHS’s process of handling this information. While this represents progress, additional participation from private-sector companies will likely be driven by evidence of benefits being conferred on companies that are participating.
Our Take
The decision for a company to participate in cybersecurity information sharing under CISA is complex and involves various factual and legal considerations.
Particularly, in these early stages of CISA’s implementation, Companies must thoroughly evaluate the benefits and risks associated with participating in the information sharing process. For a number of companies, particularly those that consider their cyber security systems a competitive advantage, this analysis may largely depend on the particular circumstances of the threat or incident. Further, companies should consult with legal counsel regarding the litigation risks posed by both sharing and receiving threat information. In either case, a company should be prepared to either mitigate the incident that it has reported, or assess and respond to the threat information it receives. Failure to do so exposes the company to later claims by plaintiffs that the company failed to adequately address known risks.
A company that decides to share information under CISA should make certain that it has procedures and systems in place to collect, screen, and report the information it plans to share—particularly because CISA’s protections apply only when sharing is conducted in accordance with the law’s specific requirements, including those that restrict the type of information shared, the manner in which information is shared, and the removal of personal information. Additional considerations exist for public companies, as information sharing under CISA may implicate securities laws insofar as sharing cyber information could be considered material information requiring disclosure in a public filing.
Effective information sharing is likely to require coordination among a company’s legal, IT, and compliance functions to ensure that the company complies with CISA and DHS guidance in order to receive maximum protection under the law.
* Mia Havel is admitted to practice law in Massachusetts and the District of Columbia. Her practice is supervised by principals of the firm admitted in Colorado.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
