Answering Companies’ Legal Questions Concerning Cybersecurity Information Sharing: A Guide For General Counsels and Corporate Advisors

The success of the ISAO SO is derived from the vast knowledge and experience of the volunteers who make up its Working Groups. One such group has been charged with the development of standards and guidelines that address privacy and security issues inherent in information sharing. This Working Group was asked specifically to address the questions that corporate and agency leaders, especially those within the nation’s critical infrastructure, are asking of their general counsels and other legal and policy advisors with respect to the efficacy of joining or forming an ISAO. Stuart Gerson, today’s guest contributor, is one of several core group members who are the authors of ISAO SP-8000, which the ISAO SO has recently published and which, in question and answer form, provides information intended to guide counsel and their entities in approaching and conducting information sharing within the ISAO context. 

The ISAO SO has just published ISAO SP-8000 Frequently Asked Questions for ISAO General Counsel, now available for download at www.ISAO.org. This document may be read in tandem with Section 9 “Information Privacy” of ISAO 300-1: Introduction to Information Sharing, published in September, 2016.

The Cybersecurity Act of 2015 (Pub. L. No. 114-9 113) (CISA) was intended to encourage broad participation in information sharing by providing certain express liability protections. As that effort advances, it is increasingly likely that organizational general counsel and other legal and policy advisors will be called upon to recommend to their superiors whether to participate in such an effort.

To address some of the technical questions CISA spawned, the Departments of Homeland Security and Justice published Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities. But it is clear that the private sector still has many unresolved questions about ISAOs and threat vector information sharing more generally. To aid in decision making, the Working Group has set forth a compilation of many frequently-asked questions and related guidance that we hope sheds light on evaluating the potential risks and rewards of private-to-private (including through ISAOs) and private-to-government information sharing and the development of policies and procedures to succeed in it.

Among the issues discussed are: the potential benefits and risks of information sharing about cyber-threat vectors, hacking efforts, company response plans and outcomes; how risks can be best anticipated and avoided if an organization participates; the privacy and security policies an organization might have in place before it begins to share information with an ISAO; how to get the liability protections of CISA and, with respect to anti-terrorism, the SAFETY Act; and whether information exchanges should be done through an automated electronic system or by personal contact (or both).

ISAO SO Special Publications are documents authored by the its working groups through a transparent consensus-driven process. These documents are more focused than ISAO SO General Publications, addressing specific topics intended to meet the needs of information sharing organizations and those who might participate in them.