Dive Brief:
- The Department of Homeland Security has released initial guidelines for sharing data under the Cybersecurity Information Sharing Act.
- The measure, embedded in spending legislation last year, gives the private sector some exclusions from legal liability for sharing so-called cyber threat indicators with federal agencies.
- Companies are not required to share the information under the law.
Dive Insight:
This is a major step ahead in a measure that deeply divides privacy advocates and government agencies with cybersecurity interests. It was placed into a budget bill President Obama signed late in December, and it's designed to let companies share threat data without fear they could be sued.
Critics have focused on a specific phrase in the measure -- the use of the term "specific threat" as opposed to "imminent threat," which was the language used in an earlier draft of the legislation. They argue that without the time-based element of the latter phrase, agencies can claim almost any scenario as a specific threat and pressure companies to release information.
DHS notes the law has two layers designed to protect individual privacy. "Companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information," DHS Secretary Jeh Johnson said in a statement released earlier this week.