Expiration Of Critical Cyber Information Sharing Law Creates Confusion About Authorities And Liability Protections

Landmark cybersecurity information sharing legislation that provided both affirmative authorizations and liability protections expired on September 30, 2025, creating uncertainties about future sharing activities. When it was passed 10 years ago, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) reflected a bipartisan decision to provide much-needed clarity in cybersecurity about the lawfulness of information sharing, deployment of defensive measures, and network monitoring activities. As we explained in our previous post as the reauthorization deadline loomed, CISA 2015 provided liability protection for sharing cyber threat information and defensive measures for a cybersecurity purpose with the U.S. Department of Homeland Security, law enforcement, and between private sector entities. The law included privacy protections, an antitrust exemption, protection of attorney-client privilege, confidential treatment for commercial, financial, and proprietary information shared with the government, and federal preemption. The expiration of CISA 2015 has created uncertainty for companies who relied on the statute's protections and could have a chilling effect on the sharing of cyber information at a time when ransomware and nation-state attacks have been escalating.

What does this mean for industry? For the past 10 years, organizations have increased their information sharing across the public and private sectors and have enhanced their cyber defenses, often relying upon the authorizations and protections provided by CISA 2015. Now, organizations can no longer rely upon those authorizations and protections and may need to reevaluate their information sharing and cyber defense policies and practices and compliance strategies, particularly with the following in mind:

• Federal/State Wiretapping Laws: The Federal Wiretap Act prohibits interception, disclosure, or use of wire or electronic communications, while the Pen Trap Statute prohibits the interception of routing, addressing, and signaling information of communications. While some exceptions exist, CISA 2015 expressly permitted certain network monitoring for cybersecurity purposes, "notwithstanding any other provision of law," and made clear it superseded state laws that may govern such activity. Without these express authorizations, organizations may be faced with allegations and costly litigation related to their cyber defense activities. Indeed, plaintiffs frequently use wiretapping laws to try to bring class actions for common online practices, so it would be reasonable to expect potential litigation over varied cyber practices.
• Privacy Laws: The Electronic Communications Privacy Act (ECPA) and state privacy laws could be implicated both by the collection and sharing of personal information as part of cybersecurity risk management activities. Even though CISA 2015 required the removal of personal information not directly related to a cybersecurity threat, it provided broad liability protection for information shared that was related to cybersecurity threats and risk management.
• Antitrust: CISA 2015 enabled businesses to share cyber threat intelligence without concern that such collaboration would lead to alleged antitrust violations. Vigilance about antitrust compliance can reduce incentives to collaborate and share information. The impacts of antitrust risk related to information sharing may need to be reassessed on a case-by-case basis.
• Disclosure Risks: CISA 2015 protected certain information shared under the Act with the federal government from being disclosed in response to a Freedom of Information Act (FOIA) request. Further, CISA 2015 provided that organizations sharing threat indicators and cyber defensive measures with the federal government were not deemed to have waived privileges or trade secret protection.

CISA 2015 allowed for more rapid and robust sharing of cyber threat information and defensive measures by providing express protections and authorizations. These protections and authorizations provided assurances that organizations could engage in the covered activities without fear of liability or risk of potential exposure. Rapid and robust sharing of cyber threat information and defensive measures made the cybersecurity ecosystem stronger, enabling collaboration across the private sector and with government and establishing more of a collective defense posture.

In the world of cybersecurity, no single organization has complete access or knowledge required to prevent all attacks, yet CISA 2015 facilitated critical sharing of knowledge, expertise, and capabilities. The many benefits of enhanced sharing under CISA 2015 include:

• Organizations quickly learned of emerging threats and defensive measures based on collective knowledge of the cybersecurity community;
• The Department of Justice secured indictments and convictions that disrupted and dismantled cyber threat activities and organizations;
• The Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned foreign cyber threat actors and their supporting organizations;
• The Cybersecurity and Infrastructure Security Agency published actionable intelligence advancing the world's cyber defense; and,
• The Federal Bureau of Investigation (FBI) provided intelligence and guidance to organizations that prevented countless compromises, unlocked encrypted files, mitigated damages, and recovered losses.

While CISA 2015 was a law that made certain activities expressly lawful, organizations will still need to find ways to share information and engage in critical defense and monitoring. So as not to lose the benefits that have been achieved over the past 10 years, organizations may wish to conduct a compliance review and risk assessment in areas where they may have been reliant on the protections provided by the Act including:

• Policies, Practices, and Agreements for Cybersecurity Information Sharing: Many organizations entered into contractual agreements or established policies and practices. For example, terms of service may include language related to the collection and sharing of cybersecurity information. Vendor contracts may include provisions related to the collection and sharing of cybersecurity information. Companies should consider reviewing policies, practices, and agreements that relied on CISA 2015.
• Cybersecurity Operations Programs or Activities: Private entities that have relied in part on liability protections for network monitoring and information sharing, may choose to reassess their methods of conducting those activities.

Congressional Outlook. Both the House and Senate have put forward measures to reauthorize CISA 2015 this year. Most recently, the House passed a continuing resolution on September 19 to fund the government until mid-November that included a temporary extension of CISA 2015. To date, Senate efforts have failed to move a CISA 2015 reauthorization. A 10-year clean extension of the law was included in the Senate's fiscal year 2026 Intelligence Authorization Act in July and later added to the National Defense Authorization Act, but the provision was blocked from further consideration. Despite bipartisan support, it is unclear whether a CISA 2015 reauthorization or a short-term extension will be passed by Congress this year.

Now that CISA 2015 has expired, organizations face newfound uncertainty and increased information sharing risks that could have a chilling impact on their future willingness to share critical cyber threat information with private-sector peers and the federal government. Without reauthorization, any resulting litigation and enforcement activity could disincentivize information sharing and is likely to have an adverse impact on our collective cybersecurity defenses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.