October 03, 2025

Cybersecurity Information Sharing Act of 2015 Lapses

Share

On September 30, 2025, the Cybersecurity Information Sharing Act of 2015 (“CISA 2015” or the “Act”) expired as it reached the end of its effective period without being reauthorized by Congress. Intended to enhance sharing of cybersecurity information within the private sector and between the private sector and the government, the sunset of CISA 2015 creates additional legal uncertainty around cybersecurity information sharing. In the absence of the protections CISA 2015 provided, including with respect to liability protections, restrictions on disclosure under the Freedom of Information Act (FOIA), antitrust protections , and restrictions on regulatory use of shared information, information sharing between and within the public and private sectors may be chilled. In this Legal Update, we provide background on CISA 2015 and summarize the potential impact of its expiration and its path to reauthorization.

CISA 2015 Background

Broad and timely sharing of information about cyber threats and how to defend against them has long been understood to enhance cybersecurity across the public and private sectors. To this end, CISA 2015 established a legal framework that was intended to facilitate the voluntary sharing of cyber threat indicators and defensive measures between and within the federal government and non-federal entities, including private sector organizations and state, local, tribal, and territorial governments. The Act aimed to enhance the collective ability to detect, prevent, and respond to cybersecurity threats by promoting real-time information exchange while providing liability protections for entities that share information in accordance with the Act’s requirements.

CISA 2015 established several key protections designed to encourage private sector information sharing, including:

  • An exemption from disclosure under FOIA and similar state laws for information shared with the federal government, protecting sensitive business data from public release;
  • An exemption from antitrust laws for the sharing of cyber threat indicators and defensive measures, allowing companies to share information with one another without fear of violating antitrust laws;  
  • Liability protections for private entities that monitored their own systems or shared cyber threat indicators in good faith compliance with the Act;
  • Confirmation that information sharing was voluntary, with no duty to share or act on received information; and
  • Authorization for network monitoring and the deployment of defensive measures on relevant network.

To protect privacy and civil liberties, CISA 2015 conditioned its protections upon adherence to strict limitations spelled out in the Act. Collectively, these provisions reduced legal and regulatory risks for private sector entities, making it easier for them to engage in cybersecurity information sharing initiatives.

Potential Impact of Expiration

The expiration of CISA 2015 does not necessarily foreclose cybersecurity information sharing between the private sector and the federal government, though CISA 2015’s liability and other protections will no longer apply for exchanges after September 30, 2025. Importantly, the Act’s protections still apply to the sharing of relevant cybersecurity information that occurred  before its expiration.

Companies that share cybersecurity information may wish to evaluate their information sharing practices while CISA 2015 is not in effect. In doing so, they may wish to refer to a pre-CISA 2015 policy statement from the Department of Justice and the Federal Trade Commission regarding antitrust considerations for cybersecurity information sharing, as well as to the Department of Justice’s white paper on considerations under the Stored Communications Act. Companies may also wish to monitor for any further information sharing guidance from the Trump Administration as they evaluate any risks associated with their information sharing approaches going forward.

Path to Reauthorization

The path to reauthorize CISA 2015 remains uncertain. The House Homeland Security Committee favorably reported a bi-partisan reauthorization, which was included in the House-passed Continuing Resolution. However, the Senate Homeland Security and Government Affairs Committee postponed consideration of Chairman Paul’s version of the reauthorization legislation, and the Senate failed to pass the House’s Continuing Resolution.

Notwithstanding the fact that the House-passed bill would have reauthorized CISA 2015’s substantive protections, it is also unclear whether any future Senate action will include substantive amendments that could modify the protections afforded to private sector entities.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe