The statute, designed to encourage the sharing of cyber threat information among private sector entities and with the federal government, provides explicit authorization and legal protections for information sharing and the monitoring and defense of private sector systems.
The lapse of CISA 2015 does not mean that companies may no longer share cyber threat information with public and private partners. Indeed, the sharing of technical threat information such as indicators of compromise (IOCs) and malicious tactics, techniques and procedures (TTPs) remains lawful, just as it was prior to the enactment of CISA 2015.
However, without the protections of CISA 2015, companies should consider taking some extra precautions when sharing information. In addition, companies should review their log-on banners, employee policies, and privacy notices to ensure that they have obtained user consent as a valid legal basis to monitor information systems and communications for cyber threats.
Background
CISA 2015 was enacted amid bipartisan and widespread industry concern over escalating cyber risks. The legislation followed on the heels of the 2015 Office of Personnel Management data breach and years of legislative efforts to promote information sharing as a valuable tool in defending against the spread of cyber attacks. Legislative debates focused on safeguarding privacy and civil liberties, the scope of liability protections, and requirements for personal data.
Although the vast majority of cyber threat data does not contain personal information, privacy concerns temporarily stalled the bill’s prospects after Edward Snowden’s disclosures in 2013 led some critics to worry that sharing cyber threat data would aid government surveillance.
The final statute established a voluntary information-sharing framework under which private entities may share cybersecurity information with one another and with the federal government to help identify and defend against cyber threats. Private entities are provided with explicit authorization to share cyber threat information, monitor information systems, and operate defensive measures for cybersecurity purposes, and various legal protections are provided for such activities including liability protection for sharing or monitoring. The bill included a ten-year sunset clause that ends on September 30, 2025.
Key expiring provisions
The key provisions of CISA 2015 for private-sector companies can be divided into two components.
First, CISA 2015 authorizes companies to undertake cybersecurity monitoring and “defensive measures.” The statute expressly allows private entities to monitor their own information systems and take defensive measures on those systems “notwithstanding any other provision of law.”
Similarly, they may, with the consent of the owner, monitor and deploy defensive measures on other private entities’ systems or the systems of federal agencies. This “notwithstanding” provision for monitoring information systems protects companies from lawsuits (and potential criminal violations) under the Wiretap Act, Electronic Communications Privacy Act, and analogous state laws that would otherwise require companies to rely on a separate legal basis, such as user consent, to conduct such monitoring.
Second, CISA 2015 authorizes private entities to share “cyber threat indicators” and defensive measures with the federal government (and other private entities), and it provides a range of legal protections to encourage companies to participate. Cyber threat information is shared with the federal government through the Department of Homeland Security, which then shares the information with other relevant federal agencies.
The federal agencies that receive cyber threat information from companies can only use the information they receive for cybersecurity purposes; responding to a threat of death, serious bodily harm, or serious economic damage; and responding to certain crimes. To obtain the benefits of the statute, companies are obligated to remove any personally identifiable information unrelated to the cyber threat before sharing.
Private entities are shielded from liability for information sharing or monitoring activities in accordance with the statute. Additionally, any applicable legal privilege is not waived by sharing cyber threat information with, or providing defensive measures to, the federal government. Private entities also retain ownership of any proprietary information shared.
The statute exempts company actions under CISA 2015 from antitrust laws when private entities share cyber threat information or defensive measures among themselves, and it also restricts government regulatory use of shared cyber threat information for enforcement actions. Finally, information shared with the federal government is protected from being disclosed under the Freedom of Information Act or similar state sunshine laws.
Implications
When CISA 2015 lapses, these protections for new sharing and monitoring will be unavailable. The immunity from liability for monitoring systems, providing defensive measures, and sharing cyber information will not protect new conduct after the sunset. Privilege, FOIA, and regulatory-use protections will also not apply to new information sharing. The antitrust safe harbor for private-to-private sharing of cybersecurity information will also expire.
Importantly, the statute’s sunset clause preserves CISA 2015’s protections for actions taken before the statute’s expiration. But new activity after September 30 will not qualify.
Recommendations
Calibrate information sharing
Companies should still make sharing cybersecurity information with public and private partners an important part of their cybersecurity strategy. Without CISA 2015, companies may have to do this with an increased degree of uncertainty. Congress’s failure to reauthorize the statute should not, however, be read to suggest that cyber information sharing activities no longer have a legal basis.
Companies should continue to remove personal data and sensitive business information wherever possible. Sharing should be run through legal counsel where appropriate to manage privilege concerns and to run an antitrust screen for potentially competitively sensitive topics. As always, sensitive information should be transmitted through secure, access-controlled channels, and audit trails should be maintained to show what information was shared and for what purpose.
Review security monitoring protocols
With the “notwithstanding” monitoring authorization expiring, companies’ cyber threat detection activities should be anchored in clear notice-and-consent mechanisms. Companies should review and update privacy notices, employee acceptable use policies and device login banners to ensure the scope of employee consent includes monitoring and review of communications and traffic for cybersecurity purposes, including detection, prevention, and mitigation of threats and vulnerabilities.
Consent should cover monitoring on corporate devices and networks, and, where applicable, bring-your-own-device arrangements. Monitoring should be focused on detecting and responding to security threats, rather than unrelated employee activity, and access to monitoring data should be restricted to those who need it for security purposes. Finally, companies should engage counsel to ensure monitoring practices comply with applicable laws.
