Tuesday, July 25, 2017

CISA is actually a law now!

CISA is actually a law now!

 The Cybersecurity Information Sharing Act (CISA) was passed by Senate, House, and President. CISA is a law now. What is CISA? CISA incentivizes companies to share their cybersecurity threat indicators and defensive measures with the federal government. The incentives include providing legal protections such as limiting liability and from Freedom of Information Act (FOIA) disclosure requirements. The Department of Justice (DOJ) and Department of Homeland Security (DHS) could then share that information with eachother, local governments, and private entities. Previously, such sharing could put the sharer at risk of violating antitrust and privacy laws, or disclosure waiver of privilege under FOIA (applicable to gov. agencies such as DMV). All very costly violations of longstanding laws.

This is very controversial and has received heated backlash from some privacy advocacy groups and some corporations. While some corporations laud the idea of limiting their legal liabilities in exchange for sharing data.

There's more. Private organizations can now share with other non-federal entities as long as they justify that the information is directly related to and necessary to identify or describe a cybersecurity threat.

Is your organization taking advantage of this data sharing law? Why or why not? Some organizations are adamant that this enabled more of a Cyber Information Surveillance Act (CISA) than a CISA. Thoughts?

 ( https://www.congress.gov/bill/114th-congress/senate-bill/754)