Government Issues Guidance on Cybersecurity Information Sharing
This week, the U.S. Department of Homeland Security ("DHS") published guidance (the “Guidance”)
to promote the sharing of cyber threat information by companies and other non-federal entities pursuant to the Cybersecurity Information Sharing Act of 2015 (“CISA” or the “Act”).
Congress passed CISA late last year to facilitate cybersecurity information sharing among private and public entities and reduce the risk of liability for information sharing and defensive measures. The recently issued guidance helps to clarify the requirements and mechanisms for the sharing of such information by companies and other non-federal entities under the Act.
Scope of Information Sharing.
CISA provides that non-federal entities may share information regarding cyber threat indicators and defensive measures with the federal government and other non-federal entities for purposes of protecting an information system from a cybersecurity threat or vulnerability. However, as discussed in the Guidance, the Act (i) limits such sharing to information that is directly related to and necessary to identify a cybersecurity threat, and (ii) requires a non-federal entity to remove information that is not directly related to a cybersecurity threat and is known at the time of sharing to be personal information of a specific individual or other personally identifiable information.
The Guidance cautions that compliance with these requirements is necessary to obtain the full legal protections of CISA.
The Guidance further explains that cyber threat indicators and defensive measures typically will not
include such personal information, which is unlikely to be directly related to a cybersecurity threat. The Guidance provides examples of categories of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat. These examples include, among other things:
Human resources information, including information regarding an individual’s hiring, performance reviews, and disciplinary actions;
Consumer information/history, which may include information related to an individual’s purchases, preferences, complaints, and/or credit;
Education history, such as an individual’s educational transcripts;
Financial information, such as bank statements, loan information, or credit reports; and
Individually identifiable health information that meets the definition of Protected Health Information (PHI), including information regarding the provision of health care to an individuals.
Although such information may in some circumstances be directly related to a cybersecurity threat, the Guidance suggests that anonymization techniques may be used to prevent the unnecessary disclosure of personal information. Moreover, the Act provides that a non-federal entity may conduct its review for such personal information using either a manual or a technical process.
Mechanisms for Information Sharing.
DHS is responsible under CISA for developing a capability and process that will accept cyber threat indicators and defensive measures in real time from companies and other non-federal entities. The Guidance describes four methods by which non-federal entities may share cybersecurity information with DHS pursuant to the Act (and information regarding each method is available here
Automated Information Sharing (AIS), which is a system that allows for the timely sharing of structured cyber threat information based upon a technical specification for the format and exchange of such information. Following review, analysis, and sanitization, information provided through AIS will be provided to all other AIS participants, but the identity of the entity supplying the information is not provided;
Via completion of a Web Form on a DHS National Cybersecurity and Communications Integration Center website;
Via email to DHS; or
Via sharing with an Information Sharing and Analysis Center or Information Sharing and Analysis Organization.
Non-federal entities that share cyber threat information with the federal government pursuant to one of the mechanisms described above and in accordance with CISA’s requirements receive liability protection under the Act.
Other Protections Under CISA.
The Guidance reiterates that, under CISA, non-federal entities who share cyber threat indicators or defensive measures with any federal entity receive a variety of additional protections with respect to the shared information. These protections include, among other things, a limited antitrust exemption, an exemption from certain federal and state disclosure laws, an exemption from certain state and federal regulatory uses, and protection for certain privileged and proprietary information, including trade secrets.
Companies and other non-federal entities should consult the Guidance in connection with sharing cybersecurity information with the federal government pursuant to CISA. The Guidance provides a useful roadmap for non-federal entities seeking to ensure compliance with CISA (and the receipt of its corresponding protections) when sharing information related to cyber threats and defensive measures.
Ice Miller’s Data Security & Privacy Practice
helps clients assess risks. We work with clients to help them implement a strong data security and privacy program. Eric McKeown,
a former software developer, is a member of Ice Miller's Data Security and Privacy Practice. Eric can be reached at firstname.lastname@example.org
or (317) 236-2124. Stephen Reynolds
is a partner in Ice Miller's Litigation and Intellectual Property Group and co-chair of the Data Security and Privacy Practice, with a practice that focuses on commercial litigation and data security and privacy law. He can be reached at email@example.com
or 317-236-2391. Graham Hill
is a co-founder of Ice Miller Strategies and serves as its CEO. He can be reached at firstname.lastname@example.org
or 202-824-8668. Ice Miller Strategies provides high-level strategic services and government affairs counsel to global corporations, industry associations and non-profit organizations with interests before the United States Congress, the White House and Federal Agencies.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
DHS also published guidance this week regarding (i) the sharing of cyber threat indicators by the federal government under CISA, (ii) interim procedures related to the receipt of cyber threat indicators and defensive measures by the federal government, and (iii) privacy and civil liberties interim guidelines under CISA. These resources are available at https://www.us-cert.gov/ais
The Guidance notes that such a review is not explicitly required by the Act for defensive measures, but non-federal entities are encouraged to perform such a review prior to sharing information regarding defensive measures. Guidance at 10.
Guidance at 11; CISA §§ 104(d)(2)(A), (B).
Guidance at 13; CISA § 106.