Companies May Obtain Immunity for Sharing Cyberthreat Information With the Government


The Department of Homeland Security and Department of Justice recently released the final guidelines for how companies may share “cyber threat or defensive measures” with the government. 

In a recent article featured in CIO Dive, Bloomberg BNA Privacy and Security News Senior Legal Editor Daniel R. Stoller provided insights on the Cybersecurity Information Sharing Act (CISA). 

CISA—adopted as part of the Consolidated Appropriations Act, 2016—provides the mechanism for which companies may share cyberthreat or defensive measures with the government. Any company, or non-federal entity, that shares this information with the government may obtain immunity from any public or private cause of action related to the sharing of cyberthreat indicators or defensive measures. 

Many were hoping for changes after the first rules were implemented in February, but very little has changed. 

To obtain the business immunity companies must follow specific protocols. Companies must share the data using one of the Department of Homeland Security’s real-time capabilities, including: the Automated Indicator Sharing (AIS) capability, approved webform or e-mail. Companies that don’t follow the protocols won’t receive the business immunity but may receive other protections outlined in CISA, including: exemption from federal antitrust laws; exemption from federal, state, tribal or legal government freedom of information act requests; exemption from certain state and federal regulatory uses; and no waiver of privilege for shared material. 

The final guidelines do, however, explain how businesses may share cyberthreat information with each other and obtain business immunity. As long as companies follow procedures similar to the ones for sharing information with the government, they will receive the immunity under Section 106, as well as an exemption from antitrust violations that may arise from sharing the information. 

Although there may be some grey areas still left in the final guidelines, they do go a long way in implementing a successful information sharing regime.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update