After months of deliberation (see our April 23 and October 28 alerts), President Obama signed into law the consolidated version of the Cybersecurity Information Sharing Act of 2015 (CISA) as part of the massive omnibus spending bill. The final version of CISA will establish a process allowing participating businesses to share certain cyberthreat information with the federal government and vice versa. These businesses are incentivized to participate in the form of liability protection from lawsuits for sharing such cyberthreat information. CISA tasks the Department of Homeland Security (DHS) with the responsibility of acting as the intermediary between the federal government and participating businesses and also requires DHS to establish an automated system for sharing in real time any provided cyberthreat information with other governmental agencies.
While CISA is still in its nascent stages, most business groups generally support the legislation and its potential to improve prevention, detection, and mitigation of cybersecurity threats. However, some consumer advocates continue to argue that CISA provides limited privacy protections to Americans, though the final version of CISA does require the removal of personally identifiable information from data before such data is shared.