Cybersecurity Information Sharing Act: Government Surveillance or Critical Protection?

The controversial Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law as a part of the $1.1 trillion omnibus spending bill, establishing a process for organizations to voluntarily share threat indicators with the Federal government and other private entities to help organizations better prepare for and respond to cyber threats.

CISA Provisions

CISA calls for a voluntary program for cyber threat indicators to be shared with the government and circulated among participating organizations. The types of threat indicators to be shared include malicious code, suspected reconnaissance, and security vulnerabilities.

As an incentive, participating entities will receive liability protection from lawsuits arising out of participation in the program and will not be penalized for not using the information received from the government to improve cybersecurity defenses.

While proponents hail CISA as a critical step in combatting cyber threats, critics in the privacy community claim it is a government surveillance measure diminishing privacy rights. Critics also question whether the privacy safeguards are adequate and protections afforded for participation will be enough to incentivize organizations to join the program.

To address these concerns, CISA requires participating organizations to remove all personal information prior to sending threat alerts to the government. The Department of Homeland Security Secretary is tasked with developing guidance on the information that must be removed and how the government handles the information it receives. CISA also provides that information shared is considered proprietary information of the sharing entity, exempt from disclosure under the Freedom of Information Act and generally prohibited from being used for regulatory purposes by Federal or State agencies.

Healthcare Organizations

Several provisions under CISA pertain to healthcare organizations. To start, the Department of Health and Human Services is to develop a set of cybersecurity best practices for organizations in the healthcare industry. These best practices will be consistent with the standards in the HIPAA Security Rule, and may end up being more specific.

CISA also addresses systems that are connected to electronic health records, specifically medical devices. The HHS Secretary is to create a task force that will review the issues and challenges surrounding the security of networked medical devices. The task force will report on ways to improve and better prepare and respond to cybersecurity threats.

Key Takeaways

As cyber criminals are becoming more sophisticated, knowledge of emerging threats is critical to mitigate against such risks. Organizations should evaluate whether participation in the information sharing program would be a valuable way to obtain inside information about cyber threats in their industry and sector.

As an ePlace Solutions client, you are also entitled to receive various threat alerts that identify emerging cyber threats. For more questions about ePlace threat alerts, or to sign up for the threat alerts, please feel free to reach out to Matt Peranick at (559)577-1306 or

Print Friendly, PDF & Email