Constangy Cyber Advisor 

The expiration of the Act creates operational and legal uncertainty for organizations at a time when cyberattacks are at an all-time high. The law had long provided liability protection for companies that shared cyber threat information in good faith, establishing a legal framework for public-private defense collaboration.

Role of CISA

Before the Act took effect in 2015, companies that alerted federal partners or peers about cyber incidents risked violating privacy, contract, and competition laws. The Act was designed to remove those disincentives and encourage information sharing by providing the following:

• Liability protections: Shielded companies from privacy, contract, and antitrust claims when sharing threat data in good faith via channels developed and approved by the DHS.
• Privacy safeguards: Required the removal of personal data, and limited sharing to information necessary to address cybersecurity threats.
• Freedom of Information Act exemptions: Ensured that shared data could not be disclosed through public records requests, protecting trade secrets and sensitive operations.
• Preemption: Overrode conflicting state laws to create one consistent federal standard for sharing information about cyber threats.

The 2015 Act also laid the groundwork for the creation in 2018 of CISA, the agency, which now leads the federal government’s coordination on cyber defense and infrastructure protection. The agency promotes information sharing as the backbone of a “defense-in-depth” strategy, recognizing that no single entity can defend alone.

Recent developments and risk implications

Returning to the present, as the federal funding lapse forced widespread furloughs across government agencies, CISA was left operating with only a fraction of its workforce. Essential cyber incident response teams remain active, but many of the agency’s collaborative and preventive functions have been put on hold.

To make matters worse, the 2015 Act expired on September 30, 2025. Although lawmakers have introduced proposals to renew or replace the law, the path forward remains uncertain amid ongoing political gridlock.

Without the Act, companies arguably lose their protection against federal liability, increasing their legal exposure and reducing situational awareness across sectors. These risks include the following:

• Privacy and negligence claims if shared data contains personal or confidential information.
• Antitrust scrutiny when coordinating threat intelligence with competitors.
• FOIA and disclosure risks for data shared with government agencies.
• Operational slowdowns as legal review and anonymization steps increase.
• Insurance and audit pressure require documentation and justification for sharing decisions.
• Weakened collective defense results from reduced sharing, leaving critical sectors exposed.

Steps to take now

The simultaneous shutdown of federal operations and the expiration of the Act have created a gap in the nation’s cyber defense framework. To safeguard their information-sharing strategies, companies should consider taking these steps:

• Review and tighten internal thresholds and policies for sharing.
• Revisit intercompany, vendor, and consortium contracts to clarify terms and indemnities.
• Strengthen privacy, data-minimization, and anonymization practices.
• Document all legal risk assessments and board-level decisions.
• Engage proactively with insurers to confirm exposure and coverage.
• Maintain strong internal detection and response capabilities.
• Monitor legislative reauthorization efforts and participate in industry forums to stay informed and engaged.

Congress continues to debate how to renew or reform the 2015 Act, and any new law may include expanded safe harbors or state-level alternatives. In the meantime, close monitoring, documented decision-making, and proactive governance remain key to compliance and resilience.

The Constangy Cyber Team helps businesses of all sizes and industries develop comprehensive incident response plans and provides support during a breach. We are here to help! Contact us 24/7 at breachresponse@constangy.com or by phone at 877-DTA-BRCH.