• Skip to primary navigation
  • Skip to content

SMB ISAO

Small to Medium-size Business Information Sharing and Analysis

833-SMB-SAFE
Become A Member
  • Home
  • About Us
  • Partners
  • Resources
    • Why Should We Share?
    • Frequently Asked Questions
    • Become A Partner
    • News & Events
    • Blog
  • Contact Us

FOIA and Sunshine Law Protections: Why are they significant?

May 30, 2017 By mnisao Leave a Comment

Litigation is the primal fear of any small and mid-sized business owner and any protection from litigation or evidence to support litigation is of critical importance. It is why the cybersecurity insurance markets are worth hundreds of millions, if not billions of dollars a year as they prey on the fear, uncertainty and doubt (or FUD as its known in advertising and marketing) of the small business owner. While protecting the business against legal coverage costs is of paramount importance, there are legal protections that no cyber insurance product can provide that are afforded by the Cyber Information Sharing Act (CISA) and ISAO participation.

As formalized in the CISA law, Section 104.d.4. talks about the use of cybersecurity defensive measures that are shared with State, Tribal or Local governments. Part B of Section 4 explicitly states that those

“cyber threat indicators or defensive measure shared by or with a State, tribal, or local government, including a component of a State, tribal, or local government that is a private entity, under this section shall be—
(i) deemed voluntarily shared information; and
(ii) exempt from disclosure under any provision of State, tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.”

So what is the intent of the government in providing this particular protection? To us at SMB-ISAO it means that the government is once again providing key protections in order to improve cybersecurity sharing with government entities. A spokeswoman for Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said the FOIA language was important to encourage companies to share information on cyber threats and attacks with the government.

“The exemption is one of the bill’s tools meant to encourage as much sharing of cyber-threat indicators as possible in order to reduce cyber-attacks on our homeland. At the core of this legislation is the creation of an environment where individuals and businesses feel safe in sharing information with the government as well as with each other,” Burr spokeswoman Becca Watkins said. Basically, this act extends the same protection from FOIA requests that is extended to National Security and critical infrastructure.
For smaller companies, the threat of litigation is increased when Freedom of Information Act (FOIA) or Sunshine Laws allow plaintiffs or lawyers to request additional information to identify litigious opportunities. Examples abound on the internet of the use of FOIA requests to harass researcher, prevent freedom of speech and receive information about cybersecurity attacks. By invoking CISA protections through the sharing of threat data with state, local and tribal governments especially through the DHS AIS, smaller companies can enhance their protection against lawsuits.

While this protection provides those businesses that share information with local governments to be shielded against those threats, it can be inferred here that sharing between non-federal entities other than the aforementioned “component” of a state, tribal or local government may not allow these protections to remain in place. It appear that only by communicating cyber threat indicators or defensive measures through an ISAO directly to the DHS National Communications and Cybersecurity Integration Center (NCCIC) through its Automated Information Sharing (AIS) system or providing that information directly to the NCCIC or to state, local and tribal governments would afford Small and Mid-Sized businesses these protections.

Filed Under: Uncategorized

Reader Interactions

Leave a Reply Cancel reply

You must be logged in to post a comment.

  • Home
  • ABOUT US
  • PARTNERS
  • RESOURCES
  • CONTACT US
2005 Aeroplaza Drive, Colorado Springs, CO 80916 | 877-412-9407
Copyright © 2019 SMBISAO™.
Privacy Statement | Terms and Conditions

YOU ARE BEING REDIRECTED TO:

Why am I being redirected?
Membership to SMB iSAO includes the major benefit product: Survive Cyber. By becoming an SMB iSAO member and signing into to Survive Cyber, members gain access to SMB IiAO‘s Hall of Fame award-winning Information Sharing Platform. The Survive Cyber product is powered by SMB iISAO and provides members with access to our advanced security operation center, threat intelligence alerts curated by our cybersecurity analysts, and critical legal protections accessible only through compliance with CISA. In addition, Survive Cyber provides access to a content rich resource portal and up to $100,000 in Cyber Security Insurance coverage. Billing will be processed by SMBISAO.