From Covington and Burling’s Inside Privacy blog:
The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provided protections for sharing cybersecurity threat information with the federal government and others, officially sunset on September 30, 2025 pursuant to the law’s original sunset date after efforts to re-authorize it did not succeed. The law created a cybersecurity information sharing framework and established certain protections – including disclosure under FOIA, limits to liability, and limits to waiver of legal privilege – for sharing that information with private parties and the federal government. While the expiration does not prohibit industry participants from ongoing or future sharing of cyber threat information with the federal government and others, private sector companies can no longer rely on CISA 2015’s protections when doing so.
Although several bills had been introduced in recent months to re-authorize CISA 2015’s protections, including some that would have adjusted or altered CISA 2015’s provisions, none of the bills significantly progressed before the current U.S. government shutdown. Going forward, organizations that share cyber threat information should consider how the absence of CISA 2015’s protections might impact their sharing practices and monitor for future legislative efforts to re-authorize CISA 2015 or create a similar replacement framework for information sharing.
