Last week, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) provided guidance on an open question in the Cybersecurity Information Sharing Act (“CISA”): What type of information may companies share under CISA?
As a reminder, CISA allows—but does not require—organizations to share cybersecurity information with DHS, DOJ, and other federal agencies. Specifically, section 104(c)(1) of CISA authorizes any entity “for a cybersecurity purpose” to “share with, or receive from, any other entity or the Federal Government a cyber threat indicator or defensive measure.” Section 106, in turn, provides liability protection for companies that participate in CISA’s information-sharing process so long as the sharing of information comports with the requirements of the statute.
In February 2016, the DOJ and DHS developed and issued procedures to facilitate the sharing of classified and unclassified cyber threat indicators and defensive measures. While the February 2016 guidance provided detailed information and substantial direction regarding CISA, it left unclear what qualifies as shareable information—a critical question for any company considering sharing under CISA.
The DHS and DOJ’s most recent Guidance Document, released on June 15, 2016, seeks to address that uncertainty. For cyber threat indicators, the agencies clarified that “the only information that can be shared under the Act is information that is directly related to and necessary to identify or describe a cybersecurity threat.” And, the agencies explained, a defensive measure “will generally consist principally of technical information that can be used to detect and counter a cybersecurity threat.”
For both cyber threat indicators and defensive measures, the June 2016 Guidance Document makes clear that shared information “typically will not include personal information of a specific individual or information that identifies a specific individual.” Such personal information “may include” information protected under applicable privacy laws—e.g., health information, human resource information, consumer information, education history, financial information, property ownership information, and identifying information of children.
For example, when sharing information about a spear phishing e-mail scheme, the e-mail address of the sender, the malicious URL in the e-mail, and the malware attached to the e-mail would be “considered directly related to a cybersecurity threat.” But the names and e-mails of the “targets” would be “personal information not directly related to a cybersecurity threat.”
Organizations considering sharing information under CISA should take note that the Guidance Document puts the onus on the sharing entity “to review” and to “remove any information from a cyber threat indicator or defensive measure that it knows at the time of sharing to be personal information of a specific individual.” For instance, the “entire contents of a hard drive of a personal computer that has been compromised” would “not solely contain information constituting a cyber threat indicator or defensive measure, thus sharing it in its entirety may fall outside the scope of CISA.” But “sharing cyber threat indicators extracted from the hard drive of a compromised computer would be eligible for CISA’s protections.”