Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.
With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.
To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.
If you are having trouble viewing this document, we recommend either saving the document before opening it or switching to a different browser.
If you have any comments or suggestions relating to this document, you may submit them using our published product comment form.