After a security incident is identified organizations often consider whether to share information concerning the incident with government agencies. If the incident involved criminal conduct, federal law enforcement agencies – such as the Federal Bureau of Investigation or the United States Secret Service – may be interested in investigating and attempting to prosecute those responsible. It’s also possible that law enforcement already may be investigating similar incidents and can share information that may help in your investigation. For example, they may be able to identify IP addresses associated with bad actors, security vulnerabilities that are being exploited within other organizations, or evidence that might suggest that criminals successfully obtained information from your organization.
The “Cybersecurity Act of 2015,” which was enacted in December of that year, is designed to promote the ability of organizations to identify data security incidents, and to share that information with law enforcement. The Cybersecurity Act has three main provisions. First, it provides a safe harbor from liability for organizations that monitor information systems for cyber threats. Under the safe harbor an organization cannot be sued for engaging in monitoring that complies with the Act. Second, if a threat is identified it provides a safe harbor for the organization to share that information with federal agencies. Third, if an organization chooses to share a cyber threat indicator or a defensive measure with the Federal government, any privilege that might have attached to the information shared (e.g., attorney client privilege) is not waived.
What to consider when deciding whether to share information with the government:
- Most organizations are not required to share information with the federal government concerning cyber threats or data security incidents. The Cybersecurity Act of 2015 does not compel sharing - it is designed to protect organizations that voluntarily choose to share information.
- The Cybersecurity Act of 2015 only protects information shared with the federalgovernment. If you are considering sharing information with state or local government agencies you should consider whether doing so may result in liability or privilege waiver.
- The safe harbors in the Cybersecurity Act of 2015 require that a company follow guidelines for what information can be shared, and how that information must be shared. You should carefully review the requirements before disclosing information to the government to make sure that you can utilize the protections under the Act.
- To the extent that you have contractual or other statutory obligations not to share information with the government, it is uncertain whether courts will interpret the Cybersecurity Act of 2015 as immunizing your organization from liability if you choose to voluntarily share information.
The following provides a snapshot of threat monitoring and information sharing with the government:
Click here to view image.