Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended
to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.
With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.
To aid in that decision making, a compilation of frequently asked questions and related guidance has been compiled that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. This memorandum is targeted at general counsels, and the hope is that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.