On February 13, 2015, President Obama signed an executive order encouraging the sharing of information related to cyber-threats between the private and public sectors. The Order instructs the Department of Homeland Security (DHS) to "strongly" urge private companies, as well as nonprofit groups, to voluntarily form Information Sharing and Analysis Organizations (ISAOs) to share details about cyber threats with other ISAOs and DHS "in as close to real time as possible."
The Order states that private-sector ISAOs are to "agree to abide by a common set of voluntary standards, which will include privacy protections, such as minimization, for ISAO operation and ISAO member participation. In addition, agencies collaborating with ISAOs under this order will coordinate their activities with their senior agency officials for privacy and civil liberties and ensure that appropriate protections for privacy and civil liberties are in place and are based upon the Fair Information Practice Principles."
While the Order is silent about what "voluntary standards" control information sharing by companies, the Order does require DHS to establish guidelines governing how the government collects and handles the shared data. Presumably, DHS will also promulgate such standards related to information sharing in the private sector, or otherwise, such standards will be established through legislation.
Notably, the Order does not give companies protection from liability when they share information. But related legislation was introduced earlier last week by Senator Tom Carper (D-Del.) – S. 456: Cyber Threat Sharing Act of 2015 – which limits liability of companies that voluntarily disclose cyber threat indicators. The bill is similar to a legislative proposal issued by the White House last month recommending immunity be given to companies that share data with the government. Understandably, absent such immunity, companies have been (and likely will remain) reluctant to share cyber threat information with the government.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.