Data Protection Report

The Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired on September 30, 2025, after Congress missed the reauthorization deadline. That lapse removes the decade-old legal framework that encouraged and protected cyber threat information sharing among companies, Information Sharing and Analysis Organizations and Centers (ISAOs/ISACs), and the federal government.

In practical terms, the lapse of CISA 2015 removes statutory protections and liability exemptions companies relied upon to share cyber threat information with private and public partners. While cyber threat information may continue to be shared as it was prior to the implementation of CISA 2015, companies should now understand and reassess the risks associated with their current practices.

Background

CISA 2015, codified at 6 U.S.C. §§ 1501 et seq., was enacted to incentivize collaboration from companies who hesitated to share actionable cyber threat intelligence and defensive measures out of fear of litigation, regulatory scrutiny, antitrust liability, or unwanted disclosures of sensitive information. To strengthen collective cybersecurity defenses, the law provided a voluntary framework for companies to share cyber threat indicators and defensive measures such as indicators of compromise (IoCs), and tactics, techniques and procedures (TTPs) with other private entities and the government.

CISA 2015 included the following key measures and legal protections:

• Authorization to Monitor and Deploy Defensive Measures: The law provided a liability shield authorizing companies to conduct cybersecurity monitoring and deploy defensive measures in their IT environment “notwithstanding any other provision of law.” Additionally, CISA 2015 also authorized companies to undertake such monitoring and deployment of defensive measures on the information systems of other companies and Federal entities, provided the owner of the information systems gave consent to it.
• Antitrust Exemption: CISA 2015 provided exemptions from antitrust liability when companies shared cyber threat indicators or defensive measures with other companies.
• FOIA Exemption: The law exempted information shared under CISA 2015 from disclosure under the Freedom of Information Act (FOIA) and other state open records laws.
• Privilege Protections: Under CISA 2015, sharing cyber threat indicators and defensive measures with the federal government did not constitute a waiver of privilege or other protections such as trade secret protection. The law also exempted information shared with federal agencies from rules limiting ex parte communications with officials.
• Privacy Guardrails: CISA 2015 also included privacy guardrails which required companies to remove personal information prior to sharing cyber threat intelligence.
• Automated Indicator Sharing: The implementation of the law led the Cybersecurity and Infrastructure Security Agency (CISA) to create an automated indicator sharing (AIS) system which permitted rapid exchange of unclassified machine-readable cyber threat indicators between participants

New Risks and How to Address Them

Over the last ten years, CISA 2015 streamlined the risk analysis of companies sharing cyber threat information and contributed to normalizing public-private information sharing. CISA 2015 provided a reliable framework of exemptions protecting companies from most legal and regulatory risks associated with sharing cyber threat information, fostering collaboration and facilitating real-time awareness of cyber threats. With the statute expired, companies’ risk calculus reverts to a patchwork of general laws, policy statements, contracts, and sector-specific rules.

While the law included a provision planning for the expiration of the legislation after ten years, CISA 2015 also contained a section that preserved protections for actions taken and information shared before the law sunset (6 U.S.C. § 1510(b)). As such, companies should focus on the current challenges created by the expiration of the law rather than assessing prior information sharing practices which remain covered by the law.

As there is no general prohibition against sharing cyber threat information or defensive measures, companies may continue to share this information with other private and public entities despite the expiration of CISA 2015. However, in the absence of the statute’s protections, companies should be aware of and assess the following key legal risks. In practice, companies should address the following points in the coming week:

• Re-assess and Confirm Automated Sharing Program:  Companies should consider pausing and reassessing contributions to automated feeds to federal endpoints (e.g., AIS) that were justified solely based on the authority of CISA 2015. Companies may decide to keep receiving cyber threat intelligence while evaluating their risk exposure, which may not apply to companies with specific interconnection agreement or with certain risk postures dictating otherwise. Notably, the report issued on September 26, 2025, by the Department of Homeland Security Office of Inspector General (DHS OIG) found that CISA had not finalized post-sunset plans for AIS. As such, it is essential for companies to confirm the status of the program before continuing further outbound information sharing.
• Re-evaluate FOIA Exposure: Information shared with the government no longer benefits from CISA 2015’s explicit FOIA and state disclosure exemptions. As such, companies may need to reassess the extent of information shared with the government to limit the risk of unwanted disclosure of sensitive information. Nevertheless, agencies may still protect information submitted by companies under Exemption 4 of the FOIA, which protects trade secrets and commercial or financial information.
• Re-assess “Private-to-Private” Information Sharing: Companies should ensure that their information sharing programs with ISACs/ISAOs and other private entities contain the necessary antitrust guardrails. While most well-designed programs already exclude information on pricing or output, the expiration of CISA 2015 provides an opportunity for companies to validate these practices. Companies may decide to go further and update ISACs/ISAOs participation agreements to remove reliance on CISA 2015 and strengthen confidentiality provisions and downstream usage constraints.
• Enhance Privacy Scrubbing and Data Hygiene: Even though CISA 2015 lapsed, companies may consider adopting as internal policy CISA’s privacy guidelines regarding removal of personal information in the context of information sharing. Companies should scrub information not directly related to cybersecurity threats and maintain appropriate logging to align with general federal expectations and reduce litigation risk.
• Re-assess Regulatory and Liability Risks: CISA 2015 contained a “no regulatory” exemption which prevented regulators from relying on cyber threat indicators and defensive measures to initiate enforcement actions against companies sharing such information under the statute. Without this protection, sector-regulated entities (e.g., financial services, healthcare, critical infrastructure) should coordinate with their regulatory liaison teams before sharing further information with the government. Additionally, without CISA 2015’s explicit liability protection, companies may face legal exposure when monitoring information systems or sharing cyber threat indicators with other entities. While the expiration of CISA 2015 does not necessarily make liability a likely prospect, companies should assess their current information sharing practices in light of this potential shift in risk exposure.
• Governance and Training: Companies may decide to organize targeted workshops with their security operations center (SOC) and IT teams, incident response teams, and privacy teams to address the consequences of the statute’s expiration. These workshops should emphasize that information sharing with private partners may continue under updated agreements with appropriate safeguards, and information sharing with government entities should be deliberate pending the reauthorization of CISA 2015.Companies should confirm that the cyber threat information shared with third parties does not include information protected under the attorney-client privilege or trade secret protections Additionally, companies may ask their antitrust and privacy counsel  for concise deliverables presenting examples of what can be shared (e.g., IOCs, TTPs), and what cannot be shared externally (e.g., personal information, competitively sensitive non-security related information).

Our Take

The path to reauthorization of CISA 2015 is uncertain but not unfeasible. Companies should continue to harvest the benefits of cybersecurity information sharing with public and private entities to reinforce their cybersecurity program. However, while the timeline for Congress to restore CISA 2015 remains unclear, companies should treat this lapse as a temporary but real change in legal posture. Removing personal information and sensitive business details should remain a priority when sharing information with third parties. Continued engagement from the company’s legal team and external counsel is essential to effectively manage legal risks associated with information system monitoring and cyber threat intelligence sharing.