A vital cyber defense law known as the Cybersecurity Information Sharing Act of 2015 (CISA 2015) is poised to expire at the end of the month, and leaders in the House and Senate are working to negotiate a replacement within the next 26 days. The House Committee on Homeland Security unanimously approved legislation on September 3, 2025 – titled the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG) – to reauthorize CISA 2015, and Congress is also considering other proposals.
CISA 2015 was enacted 10 years ago, reflecting a bipartisan decision to provide much-needed clarity about the lawfulness of information sharing, deployment of defensive measures, and vital monitoring activities. In short, CISA 2015 made clear that beneficial cyber activities – sharing of threat indicators, deployment of defensive measures, and network monitoring for cyber purposes – were lawful and to be encouraged. The law has been critically important to cyber defense and information sharing efforts over the last 10 years with enhanced cyber collaboration and defenses flourishing, though as we have written previously, the law could be tweaked in ways to make it even more effective and government information sharing mechanism could be made more user friendly.
But unfortunately, we are headed toward the law’s imminent expiration at the end of September if Congress does not agree on legislation to reauthorize it. Below we discuss the importance of CISA 2015 and the negative impacts that will follow if it is not reauthorized.
Why is reauthorization of CISA 2015 so important? When CISA 2015 was enacted, Congress included a 10-year sunset period that ends September 30, 2025. If the law is permitted to expire, organizations across the United States will face increased risk in doing the very sort of cyber hygiene, defensive work, and information sharing that has been underway and is so vitally needed. Organizations may also lose the important safeguards that were designed to facilitate information sharing, like liability protections for sharing with the government through established means, antitrust protections for industry collaboration on cybersecurity, and exemptions from FOIA or state disclosure laws. CISA 2015 also provided important protections for organizations to engage in good-faith monitoring of their own systems for cybersecurity purposes.
Why is there risk for cyber defense and information sharing activity without CISA 2015? Simply put, because of the possibility of frivolous litigation over the cybersecurity activities that the government and private sector agree are important. Powerful federal and state laws are used by lawyers and plaintiffs to sue private companies in a variety of circumstances for their handling of data and management of digital traffic and systems. The federal Wiretap Act, the Electronic Communications Privacy Act (ECPA), and their state counterparts regulate certain activities and are often used creatively by plaintiffs to seek monetary damages for online activities. The risk of such litigation may chill important cybersecurity activity and collective defense.
Why would organizations be worried about this? Because litigation is expensive and burdensome, even where the claims ultimately fail. Famously, telecommunications companies were sued for allegedly cooperating with the federal government on surveillance activities after the terrorist attacks of September 11, 2001. It took an act of Congress (and years of additional litigation) to terminate those class actions. Plaintiffs now regularly sue technology companies using novel theories under state wiretap and privacy laws for the use of various tools and technologies. For example, a purported class action invoked Pennsylvania’s Wiretapping and Electronic Surveillance Control Act and brought claims for “Invasion of Privacy – Intrusion Upon Seclusion” against a tech company and website operator over the use of session-replay technology that enables a business to capture and reproduce customers’ interactions with websites. Even though a federal appeals court found that the plaintiff in that case did not suffer harm from the alleged “tracking of her interactions” with the website, defendants in these and an array of similar cases face expensive, time-consuming, and ongoing litigation based on often routine and beneficial tech tools.
Why does this matter for CISA 2015? The law sought to promote increased cybersecurity activities in part by responding to concerns over potential litigation. The law made clear that specific activities (information sharing, defensive measures, and network monitoring) were authorized by federal law. It said, in several places, that these things could be done, “[n]otwithstanding any other provision of law,” which removed the possibility that beneficial and important cybersecurity activities could be the basis for frivolous lawsuits under the Wiretap Act, ECPA, or state equivalents. CISA 2015’s preemption provisions and “notwithstanding” language were critical to providing organizations with the assurances they needed that litigation risks were addressed, allowing them to share cybersecurity information among themselves and with the government without fear of costly, crippling litigation.
How is Congress addressing reauthorization? House Homeland Security Chair Andrew Garbarino (R-NY), who took the committee helm in July, has a draft to reauthorize the law and make some clarifying changes. That draft notably retains the extensive privacy protections that were negotiated and are in the 2015 law. The draft was voted out of Committee September 3, 2025 on a 25-0 vote. Others in Congress are considering different approaches and vehicles to get this done. A May 15 House hearing looked at reauthorization issues.
In July, the Senate Select Committee on Intelligence approved a clean 10-year reauthorization of CISA 2015 as part of its 2026 intelligence authorization bill. Typically, intelligence authorization bills are added to the National Defense Authorization Act during floor consideration, which will take place in the coming weeks.
***
It would be a shame for Congress to let this vital law expire at the end of this month, and subject the organizations defending themselves and the public from cyber threats to newfound uncertainty and increased risk that could have a chilling effect on their willingness to share critical cyber threat information.
As officials across government sound the alarm over cyberattacks and nation-state threats, now is not the time to retreat from public-private collaboration and empowerment of the private sector. Congress should recognize the beneficial impacts that CISA 2015 has had on information sharing and think about ways to enhance protections to encourage more information sharing instead of interjecting uncertainty and risk at a time when cyber attacks are increasingly imposing national and economic security risks in the United States.
[View source.]
