DHS and DOJ released final rules for treatment of shared cybersecurity threat information under CISA

The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015.  CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”

The new rules facilitate the immunities provision that shields participating companies from potential public or private causes of action for entities that “promptly” share cyber threat data with the government, and the guidance clarifies that the liability protections extend to business-to-business communications in addition to business-to-government communications: “CISA authorizes private entities to share cyber threat indicators and defensive measures with other private entities. . . . It also provides private entities with liability protection for conducting such sharing in accordance with CISA.” The guidance explains procedural methods for sharing information with the DHS’s National Cybersecurity and Communications Integration Center as well as other private Information Sharing and Analysis Centers or Organizations in real time and via non-automated means.  It also helps explain some of the key concepts for information sharing, particularly with regard to procedures to ensure privacy and civil liberties protections.

CISA  requires that companies remove personally identifiable information (PII) before sharing threat information with the government or other companies, unless that information is directly related to the threat. But CISA fails to define PII within its text, which complicates the process of sharing for organizations, which are left to identify and remove anything that qualifies as PII. The guidance expounds on the definitions of cyber threat indicators, defensive measures, and “types of information protected under otherwise applicable privacy laws …[that] are unlikely to be directly related to a cybersecurity threat.”  In particular, the guidance highlights certain categories of information that may likely be inappropriate to share, including: Protected Health information pursuant to HIPAA, human resource information, consumer information and history such as that covered by the FCRA, educational history such as that protected pursuant to FERPA, financial information such as that protected by GLBA, children’s information such as that protected under COPPA, and other identifying information protected by state privacy laws.  The Privacy and Civil Liberties Final Guidelines also further specify procedures to ensure that personal information is not improperly disclosed and that individuals’ notice and redress rights are ensured.

In sum, the final guidelines provide confirmation of the powerful legal basis for companies to engage in and share information about defensive measures, as well as to engage in cybersecurity-related network monitoring, and to share information about cyberthreat indicators with both government and non-government entities, and both through the DHS automated portal and through means other than the DHS portal.  As interpreted by DHS and DOJ, CISA should prove highly useful to corporate cybersecurity efforts.