Information sharing about cybersecurity threats and vulnerabilities produces enormous benefits — enabling entities to quickly learn about and protect against new and evolving attack vectors. Effective information sharing also provides significant economic benefit for the organizations involved; helps protect companies against vulnerabilities being propagated by a weak link in the supply chain; and serves the broader public interest by improving security and resilience across the global community. It is a collective action with collective benefits.

However, within the United States, reaping the benefits of information-sharing programs can often be hindered by an incomplete understanding of legal risk. Private sector entities are often unsure about what can and should be shared, how to share information without inadvertently running afoul of legal and compliance obligations, and how to carry out information sharing in a way that minimizes liability risks.

This document – from the Center for Cybersecurity Policy & Law and the Health-ISAC – addresses each of these considerations. It provides a reminder of the benefits of information sharing. It offers guidance on what can and should be shared, consistent with the overriding goal of creating a shared understanding and mitigating the risks of emergent threats; and it addresses the legal and compliance issues — suggesting best practices for sharing information while mitigating liability and other legal and reputational risks. That said, this document is not intended to constitute legal advice; entities should consult with counsel to help shape the specifics of any information-sharing agreement

‍