Information sharing about cybersecurity threats and vulnerabilities produces enormous benefits — enabling entities to quickly learn about and protect against new and evolving attack vectors.
Abstract
Effective information sharing provides significant economic benefit for the organizations involved; helps protect companies against vulnerabilities being propagated by a weak link in the supply chain; and serves the broader public interest by improving security and resilience across the global community. Within the United States, reaping the benefits of information-sharing programs can often be hindered by an incomplete understanding of legal risk. This document addresses those concerns. It assesses potential liability, available liability protections, and best practices for ensuring effective information sharing that mitigates legal risk.
Purpose of this document
Effective information sharing about new and evolving cyber threats can help organizations better manage those threats — with significant benefits to both the organizations involved and to the broader public. It is a collective action with collective benefits. It helps protect against an entity being the inadvertent vector for a threat that propagates through an entire sector – and beyond. That said, private sector entities are often unsure about what can and should be shared, how to share information that does not inadvertently run afoul of legal and compliance obligations, and how to carry out information sharing in a way that minimizes liability risks. This document addresses each of these considerations. It provides a reminder of the benefits of information sharing. It offers guidance on what can and should be shared, consistent with the overriding goal of creating a shared understanding and mitigating the risks of emergent threats; and it addresses the legal and compliance issues — suggesting best practices for sharing information while mitigating liability and other legal and reputational risks. That said, this document is not intended to constitute legal advice; entities should consult with counsel to help shape the specifics of any information-sharing agreement.
