Brad S. Karp is chairman and partner at Paul, Weiss, Rifkind, Wharton & Garrison LLP. This post is based on a Paul Weiss client memorandum.
The Cybersecurity Information Sharing Act of 2015 (“CISA”) was signed into law on December 18, 2015. The law has two main components. First, it authorizes companies to monitor and implement defensive measures on their own information systems to counter cyber threats. Second, CISA provides certain protections to encourage companies voluntarily to share information—specifically, information about “cyber threat indicators” and “defensive measures”—with the federal government, state and local governments, and other companies and private entities. These protections include protections from liability, non-waiver of privilege, and protections from FOIA disclosure, although, importantly, some of these protections apply only when sharing with certain entities. To qualify for these protections, the information sharing must comply with CISA’s requirements, including regarding the removal of personal information.