Firm Insights

Cybersecurity Information Sharing Act Business Guidance

Author: Scarinci Hollenbeck, LLC

Date: July 6, 2016

Key Contacts

Scarinci Hollenbeck, LLC

The Firm

201-896-4100 info@sh-law.com

Back

The Department of Justice and the Department of Homeland Security recently issued guidance that clarifies how the Cybersecurity Information Sharing Act (CISA) will impact the business community.

The agencies specifically addressed the procedures for voluntarily sharing “cyber threat indicators,” as well as the application of the law’s immunities provision.

Basic Provisions of the Cybersecurity Information Sharing Act

The goal of CISA, which was enacted last December as part of the Cyber Security Act of 2015, is to promote information sharing regarding cyber threats impacting the private sector. Under the new law, federal agencies, such as the DHS, are authorized to alert businesses about potential cyber threats. At the same time, the law also creates procedures for businesses to share information about cyberattacks or data intrusions with both federal agencies and other private entities.

To encourage information sharing, companies that participate in the program are shielded from liability for violating privacy-protection or antitrust laws, provided that the information is shared in accordance with CISA. Most notably, the law requires that companies remove personally identifiable information from any data shared, unless that information is directly related to the threat.

Cyber Threat Information Shared Between Private Entities

Section 104(c) of CISA allows non-federal entities to share cyber threat indicators and defensive measures with any other entity—private, federal, state, local, territorial, or tribal—for a “cybersecurity purpose.” However, previous guidance did not specifically address how private entities may share cyber threat indicators and defensive measures with each other. As a result, it was unclear whether CISA’s liability protections extended to business to business communications.

The latest CISA guidance from the DOJ/DHS provides a detailed summary of the protections and exemptions that non-governmental entities receive for sharing cyber threat indicators and defensive measures with each other in accordance with CISA. It also expressly states: “CISA authorizes private entities to share cyber threat indicators and defensive measures with other private entities. … It also provides private entities with liability protection for conducting such sharing in accordance with CISA.”

Additional Guidance Provided by DOJ/DHS

The latest CISA guidance also addresses several other key issues, including how to identify and share cyber threat indicators and defensive measures. For instance, it emphasizes “cyber threat indicators and defensive measures will typically consist of technical information that describes attributes of a cybersecurity threat that generally need not include various categories of information that are considered sensitive and, therefore, protected by privacy laws.”

Cybersecurity Information Sharing Act Guidance Tips

The guidance provides specific examples of information unlikely to be directly related to a cybersecurity threat and is, therefore, inappropriate to share, including:

Protected health information;
Human resource information contained within an employee’s personnel file;
Consumer information and history, including information covered by the Fair Credit Reporting Act;
Educational history, including transcripts and information protected pursuant to Family Educational Rights and Privacy Act;
Financial information, including bank statements, loans, and information protected by the Gramm-Leach-Bliley Act;
Children’s information, including that protected under Children’s Online Privacy Protection Act; and
Other identifying information protected by state privacy laws.

Businesses big and small can benefit from these guidelines. The challenge often lies in figuring out what is necessary for your company, what should be a priority, and how best to determine and integrate both technology and training into your operations.

Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo and follow the twitter accounts @CyberPinguelo and @eWHW_Blog for timely comments on related issues. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit our Cyber Security & Data Protection page.

For more posts dealing with Cybersecurity, check out:

Cyber Threats on Small Business Come From All Angles
NJ Supreme Court Addresses Use of Metadata in Electronic Documents
Computer Hacking Defendant Loses in Supreme Court, Violates CFAA

Practices: Corporate Transactions & Business
Locations: Red Bank, NJ, New York City, Little Falls, NJ

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

See all

Why Compliance Monitoring Matters for NY and NJ Businesses

Compliance programs are no longer judged by how they look on paper, but by how they function in the real world. Compliance monitoring is the ongoing process of reviewing, testing, and evaluating whether policies, procedures, and controls are being followed—and whether they are actually working. What Is Compliance Monitoring? In today’s heightened regulatory environment, compliance […]

Author: Dan Brecher

February 4, 2026

When Are New Jersey Business Owners Personally Liable for Corporate Debt?

New Jersey personal guaranty liability is a critical issue for business owners who regularly sign contracts on behalf of their companies. A recent New Jersey Supreme Court decision provides valuable guidance on when a business owner can be held personally responsible for a company’s debt. Under the Court’s decision in Extech Building Materials, Inc. v. […]

Author: Charles H. Friedrich

January 30, 2026

Commercial Real Estate Trends to Watch in 2026

Commercial real estate trends in 2026 are being shaped by shifting economic conditions, technological innovation, and evolving tenant demands. As the market adjusts to changing interest rates, capital flows, and workplace models, investors, owners, tenants, and developers must understand how these trends are influencing opportunities and risk in the year ahead. Overall Outlook for Commercial […]

Author: Michael J. Willner

January 29, 2026

One Big Beautiful Bill: New Tip Income Tax Rules Employers & Workers Need to Know

Part 2 – Tips Excluded from Income Certain employees and independent contractors may be eligible to deduct tips from their income for tax years 2025 through 2028 under provisions included in the One Big Beautiful Bill. The deduction is capped at $25,000 per year and begins to phase out at $150,000 of modified adjusted gross […]

Author: Scott H. Novak

January 28, 2026

One Big Beautiful Bill: New Overtime Tax Rules Employers and Employees Need to Know

Part 1 – Overtime Pay and Income Tax Treatment Overview This Firm Insights post summarizes one provision of the “One Big Beautiful Bill” related to the tax treatment of overtime compensation and related employer wage reporting obligations. Overtime Pay and Employee Tax Treatment The Fair Labor Standards Act (FLSA) generally requires that overtime be paid […]

Author: Scott H. Novak

January 27, 2026

New York’s FAIR Business Practices Act: What the New Consumer Protection Measure Means for Your Business

In 2025, New York enacted one of the most consequential updates to its consumer protection framework in decades. The Fostering Affordability and Integrity through Reasonable Business Practices Act (FAIR Act) significantly expands the scope and strength of New York’s long-standing consumer protection statute, General Business Law § 349, and alters the compliance landscape for New York […]