Litigation is the primal fear of any small and mid-sized business owner and any protection from litigation or evidence to support litigation is of critical importance. It is why the cybersecurity insurance markets are worth hundreds of millions, if not billions of dollars a year as they prey on the fear, uncertainty and doubt (or FUD as its known in advertising and marketing) of the small business owner. While protecting the business against legal coverage costs is of paramount importance, there are legal protections that no cyber insurance product can provide that are afforded by the Cyber Information Sharing Act (CISA) and ISAO participation.
As formalized in the CISA law, Section 104.d.4. talks about the use of cybersecurity defensive measures that are shared with State, Tribal or Local governments. Part B of Section 4 explicitly states that those
“cyber threat indicators or defensive measure shared by or with a State, tribal, or local government, including a component of a State, tribal, or local government that is a private entity, under this section shall be— (i) deemed voluntarily shared information; and (ii) exempt from disclosure under any provision of State, tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.”
So what is the intent of the government in providing this particular protection? To us at SMB-ISAO it means that the government is once again providing key protections in order to improve cybersecurity sharing with government entities. A spokeswoman for Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said the FOIA language was important to encourage companies to share information on cyber threats and attacks with the government.
“The exemption is one of the bill’s tools meant to encourage as much sharing of cyber-threat indicators as possible in order to reduce cyber-attacks on our homeland. At the core of this legislation is the creation of an environment where individuals and businesses feel safe in sharing information with the government as well as with each other,” Burr spokeswoman Becca Watkins said. Basically, this act extends the same protection from FOIA requests that is extended to National Security and critical infrastructure. For smaller companies, the threat of litigation is increased when Freedom of Information Act (FOIA) or Sunshine Laws allow plaintiffs or lawyers to request additional information to identify litigious opportunities. Examples abound on the internet of the use of FOIA requests to harass researcher, prevent freedom of speech and receive information about cybersecurity attacks. By invoking CISA protections through the sharing of threat data with state, local and tribal governments especially through the DHS AIS, smaller companies can enhance their protection against lawsuits.
While this protection provides those businesses that share information with local governments to be shielded against those threats, it can be inferred here that sharing between non-federal entities other than the aforementioned “component” of a state, tribal or local government may not allow these protections to remain in place. It appear that only by communicating cyber threat indicators or defensive measures through an ISAO directly to the DHS National Communications and Cybersecurity Integration Center (NCCIC) through its Automated Information Sharing (AIS) system or providing that information directly to the NCCIC or to state, local and tribal governments would afford Small and Mid-Sized businesses these protections.