After much consternation and debate, the Cybersecurity Information Sharing Act of 2015 (CISA) passed with a whimper in late December 2015 as a small part of the omnibus Consolidated Appropriations Act. In mid-June, the Department of Homeland Security (DHS) and Department of Justice (DOJ) released guidance for non-federal entities on how to share and receive "cyber threat indicators" and "defensive measures." Non-federal entities can now share both types of cybersecurity information automatically with the federal government by joining the Automated Indicator Sharing (AIS) program, or manually by email or web form. They may also share such information through existing DHS programs. Regardless of the method, private entities that share such information with the DHS receive several protections under CISA, including protection from liability caused by the sharing of such information, as well as exemption from federal and state disclosure laws and regulatory enforcement actions stemming from the sharing of such information. The scope and efficacy of these protections has not been tested. Under CISA, private entities may also share cyber threat indicators and defensive measures amongst themselves, but such sharing does not provide the same protections as sharing with the DHS, apart from some liability protection. The full text of the non-federal entity guidance can be found here.
- How-to guide How-to guide: How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws (USA)
- Checklist Checklist: Complying with cookie requirements under the ePrivacy Directive and the GDPR (EU) Recently updated
- Checklist Checklist: Managing a dawn raid