McCarter & English, LLP | Contents of this website may contain attorney advertising. | Results may vary depending on your particular facts and legal circumstances.

Share

Alternative Dispute Resolution & Mediation
Artificial Intelligence
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Latin America
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
Search By:

10.2.2025

With the new fiscal year upon us, it is official – the legal protections for sharing of cyber threat information among private sector entities and with the federal government were not renewed by Congress and have expired. The Cybersecurity Information Sharing Act of 2015 encouraged and, more importantly, protected, companies and businesses who shared cyber threat information. 

At its core, the sharing encouraged by the Act allowed private sector entities to not only share their own information with the federal government but also to receive information from the federal government. This multilateral sharing allowed entities to learn from the lessons of others and be on the lookout for threats and indicators of compromise for which they might not have been aware of. It also provided an antitrust safe harbor for companies to share cybersecurity information directly with each other, and authorized companies to take defensive measures to detect, prevent, and mitigate cybersecurity threats.

Now that it has lapsed, companies should be very thoughtful about sharing information. Since there is no longer blanket legal authority for sharing, businesses should review log-on banners, employee policies, and privacy notices to ensure that they have consent to monitor and/or share the information. To avoid entanglement with antitrust laws, companies should ensure that information exchanged is not competitively sensitive, including pricing, future plans, and output levels. Antitrust authorities recognize, however, that much of the information exchanged in cyber security best practices is technical and physical, the exchange of which is designed to reduce cyber-attacks, an efficiency enhancing benefit for consumers. Companies should also consider carefully the defensive measures they employ to protect their systems and networks to avoid taking actions that may create risks no longer covered by the expired protections of CISA 2015.

To learn more about what the expiration of the Cybersecurity Information Sharing Act might mean for your company, contact Zachary A. Myers, Erin M. Prest, or a member of the McCarter & English Cybersecurity & Data Privacy team.

This alert is for informational purposes only and does not constitute legal advice or create an attorney-client relationship.