The federal Departments of Homeland Security, Defense and Justice and The Office of the Director of National Intelligence issued guidance on the implementation of the Cybersecurity Information Sharing Act of 2015 (CISA).  Among the four guidance documents issued by these agencies is one outlining the ways non-federal entities (which would include private employers) can share information with federal entities regarding cyber threat indicators and defensive measures taken against those threat indicators.  The guidance addresses procedures for sharing cyber threat indicator and defensive measures information under the CISA.

The CISA authorizes the sharing of “cyber threat indicators” and “defensive measures” for a “cybersecurity purpose.”  The guidance highlights the fact that the CISA attempts to strike an appropriate balance between sharing information about cyber threat indicators and defensive measures while protecting the privacy of information when it is not directly related to and necessary to identify or describe a cyber security threat.  The guidance further explains that the CISA “promotes the goal of sharing while simultaneously providing privacy protections.” Therefore, the guidance cautions non-federal entities such as private employers to carefully review information before sharing it to assure they do not inadvertently disclose information that should have been kept private.

The guidance provides an overview of the methods non-federal entities can use to report to federal agencies information about cyber threats and defensive measures. These include the Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) initiative, the webform on DHS’ National Cybersecurity and Communications Integration Center, emailing DHS, and sharing information through Information Sharing and Analysis Centers or Information Sharing and Analysis Organizations.  When a non-federal entity shares information using these methods, it is afforded liability protection under the CISA, as well as other protections such as an exemption from federal antitrust laws.

When a non-federal agency reports cyber threats and defensive measures in a manner other than those outlined above, it does not receive protection from liability, but still has the other protections available under CISA like the federal antitrust exemption and protection of commercial, financial and proprietary information.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters…

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters, he regularly counsels clients on the practice of positive employee relations, negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Mr. Bertoncini’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He regularly reviews and develops policies and procedures, written information security plans and integrated compliance programs to assist clients in meeting their obligations under privacy and data security laws. Mr. Bertoncini has represented clients in investigations of alleged data breaches and advises them on their reporting obligations in the event of a data breach. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Before joining Jackson Lewis, Mr. Bertoncini was Deputy General Counsel for a hospital system that is the largest fully integrated community care organization in New England. He was responsible for all of the system’s labor and employment law matters, and was involved in its acquisition by a private equity firm as well as its growth from six to ten hospitals in a twelve-month period. His three years as in-house counsel for this large health care system give Mr. Bertoncini a keen understanding of the impact of labor and employment law issues on clients’ business operations.

In addition to his labor relations and privacy experience, Mr. Bertoncini has extensive experience in conducting internal investigations and counseling clients on whistleblower and retaliation matters, as well as negotiating executive agreements, both employment and separation agreements. Mr. Bertoncini also represents clients in the litigation of employment matters. His litigation experience includes matters before federal and state courts and administrative agencies. He has appeared before United States Courts of Appeals and District Courts, Massachusetts and New York state courts, the Equal Employment Opportunity Commission, and the Massachusetts Commission Against Discrimination.

Mr. Bertoncini is a frequent speaker and trainer on labor and employment law topics for various organizations including Massachusetts Continuing Legal Education, Council on Education in Management, Lorman Education Services, the Boston Bar Association, and several chambers of commerce.

While attending Boston College, he received the John A. McCarthy, SJ Award for the most distinguished Scholar of the College thesis.