Cybersecurity: CISA Liability Protections Have Expired – What Now?

The Cybersecurity Information Sharing Act of 2015 (CISA) established a legal framework to permit businesses and individuals to share information about cyber threats through various safe harbors and liability protections. These included a liability shield protecting organizations from lawsuits arising out of sharing information about cyber threats and defensive measures, an antitrust safe harbor, a FOIA exemption, limitations on state regulatory enforcement, and preservation of the attorney-client privilege for shared information.

Unfortunately, this Baker McKenzie blog says that these protections have expired, and efforts to renew the legislation have stalled. The blog makes it clear that this is a very big deal:

The failure to renew CISA means that as of October 1, 2025, the key protections codified by the law, including the liability shield and safe harbor, have lapsed. Unfortunately, threat actors will not stop their attacks during the shutdown, and the loss of these important legal protections will have an immediate chilling effect on sharing information and public-private partnership. According to a Wall Street Journal report, Tony Monell, a former senior cyber policy adviser at the Department of Defense, predicts that “information sharing [will] almost cease to exist overnight.”

Without CISA’s liability and antitrust protections, companies must now weigh the risk of lawsuits, regulatory scrutiny and antitrust liability before sharing or receiving threat intelligence. These considerations are especially acute for sectors where sharing may be misconstrued as anti-competitive, such as financial services or energy, or in a litigious environment where plaintiffs’ counsel aggressively scrutinize organizations that are candid about their cybersecurity activities. Businesses should not need to choose between taking actions to deter and mitigate cybersecurity threats and avoiding legal liability—but this is the impossible choice that general counsel, CISOs, and other organizational leaders now face.

The blog goes on to recommend actions organizations can take to mitigate the effects of the expiration of CISA’s protections. These include considering alternative sources of cyber threat intelligence, evaluating the legal risk an organization faces based on the type of information and methods of information sharing it uses, identifying what information is currently being shared and the contractual protections associated with those arrangements, and participating in less formal information-sharing initiatives, such as CISO roundtables or in-person forums.