After several fits and starts, Congress finally passed the Cyber Information Sharing Act of 2015 (CISA) as part of the omnibus budget bill. President Obama signed the bill into law on December 18, 2015.
CISA allows—but does not require—companies to share certain cybersecurity information with the NSA and other federal agencies, where that information is necessary to identify malicious intrusions, security vulnerabilities, or other enumerated “cyber threat indicators.” Supporters of the legislation argue that this type of information-sharing is critical to protecting American citizens and businesses from potentially disastrous cyber attacks.
The law also includes a controversial provision that limits civil liability for companies who participate in CISA’s information-sharing framework. Many privacy advocates objected to this provision on the grounds that it seems to exempt these companies from complying with other privacy laws. More generally, critics—including many in the tech industry, such as Apple and Twitter—have expressed concern that CISA tips the scales too much toward security at the expense of users’ privacy.
The law will not go into effect immediately because the relevant federal agencies have 60 days to announce procedures and policies for implementing CISA’s information-sharing goals. Nevertheless, it is not too soon for any organizations considering whether to submit information to the portal to begin to develop internal procedures for identifying and reporting that information. Crucial to those procedures is the need for a system in place for scrubbing the data of personally identifiable information—otherwise, the statutory safe harbor will not apply and your organization may expose itself to civil liability.
We will continue to report on ongoing developments related to CISA’s implementation.