The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have released Interim Guidance Documents (Guidance Documents) to implement the Cybersecurity Information Sharing Act of 2015 (CISA). The Act requires DHS and DOJ to establish a voluntary cybersecurity information sharing process that encourages public and private sector entities to share cyber threat indicators and defensive measures. Companies that choose to share such information must comply with the Guidance Documents to take advantage of the liability protections conferred by CISA. 

The Guidance Documents include:

The Guidance Documents describe the requirements and mechanisms for sharing information with DHS's National Cybersecurity and Communications Integration Center (NCCIC), which serves as ''a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.''

Companies that share cyber threat indicators and defensive measures may also include personally identifiable information with any other entity permissible under the Guidance Documents as long as the information is directly related to a ''cybersecurity purpose,'' even though such information would otherwise be protected from such sharing under other applicable privacy laws. CISA broadly defines a ''cybersecurity purpose'' as any purpose related to protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability. 

Companies will have a number of options for sharing relevant information, including through a form on the NCCIC website, via e-mail to DHS, or by utilizing DHS's Automated Indicator Sharing (AIS) initiative, which allows for machine-to-machine real-time communication of information between federal agencies and the private sector.

Ballard Spahr's Privacy and Data Security Group and Consumer Financial Services Group monitor legislative and regulatory developments at both the federal and state levels and can assist with establishing or enhancing cybersecurity programs. We are also available to offer specific guidance on sharing and receiving cyber threat information with governmental entities. 

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.