The day before the recent federal government shutdown, a ten-year old cybersecurity law expired before it could be reauthorized. The Cybersecurity Information Sharing Act of 2015 (“CISA”) provided a mechanism for private companies to share information with the federal government about cyber threats in return for certain legal protections. CISA applied only when the information was shared voluntarily, as opposed to it being compelled by a subpoena, but it provided a valuable tool for the private sector and government to share information about current cyber threats.
A bi-partisan Senate bill was recently introduced in committee that could come to CISA’s rescue, but with the current shutdown, it is unclear if and when it might be passed. In the meantime, companies that want to voluntarily share cyber threat information with the federal government have to do so at their own risk.
What is (or was) CISA?
For the last decade, CISA created a way for private companies to voluntarily share “cyber threat indicators” with the federal government and other companies, including the tactics, techniques, and procedures used (i.e., indicators of compromise); the security vulnerabilities that were exploited; and a description of the harm caused and any information exfiltrated. Companies also could share the defensive measures they take to detect, prevent, and/or mitigate cybersecurity threats.
In return, CISA provided the following protections to companies:
- An exemption from disclosure under the Freedom of Information Act and similar state laws for information shared with the federal government;
- An exemption from antitrust laws for the sharing of cyber threat indicators and defensive measures, allowing companies to share information with one another;
- Liability protections for private companies that monitored their systems or shared cyber threat indicators in good faith compliance with CISA; and
- Confirmation that the information sharing was voluntary, and that there is no duty to share or act on received information.
What Happens Now?
As of October 1, 2025, private companies can no longer rely on CISA’s protections if they decide to share information with the federal government about a cybersecurity incident. Any previous information sharing that occurred while CISA was effective is still protected, but going forward companies should carefully consider the risks that any cybersecurity information voluntarily shared with the government could be discoverable and could expose them to liability.
Companies might look to a pre-2015 policy statement from the Department of Justice and the Federal Trade Commission that gives guidance on how to share cybersecurity information without violating antitrust laws,[1] and to a Department of Justice white paper that provides its view that the Stored Communications Act does not prohibit sharing data with the federal government to promote cybersecurity.[2] However, these are only advisory and do not provide any legal protections.
Therefore, until CISA or another similar information sharing mechanism is put back in place, in most cases sharing cybersecurity information with the federal government will only be protected if it is done pursuant to a subpoena or other legally-compelled process.
Will Congress Come to the Rescue?
On October 9, 2025, two members of the Senate U.S. Homeland Security and Governmental Affairs Committee – Senators Gary Peters (D-MI) and Mike Rounds (R-SD) – introduced the “Protecting America from Cyber Threats Act” (the “Act”). This bipartisan-sponsored Act would reauthorize CISA for another ten years and change its name to the Protecting America from Cyber Threats Act. Importantly, the Act also would apply retroactively to October 1, 2025, so any information sharing that happened after CISA expired would still be protected.
The Act received swift support from myriad companies and organizations in the tech industry. But with the government shutdown in its fourth week, and other legislative priorities piling up, it is unclear if and when the Act will eventually work its way through Congress.
[1] www.ftc.gov/system/files/documents/public_statements/297681/140410ftcdojcyberthreatstmt.pdf.
[2] www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/03/26/guidance-for-ecpa-issue-5-9-2014.pdf.
