Athletes, teams and leagues in the United States have an advanced framework for sharing cyber threat observables and evidence of name, image, likeness (NIL) theft. This framework has been developed under the auspices of the Cybersecurity Information Sharing Act of 2015 (CISA). [December 18, 2015] This is federal legislation that refers to all organizations. We will cover how it applies to entities in sports. The law provides two key components.
- It authorizes teams to monitor for cyber threats and to implement defensive measures on their own information; and
- It provides for liability protection for teams, leagues and other organizations that voluntarily share cyber threat indicators.
On February 16, 2016 the U.S. Department of Homeland Security (DHS) and the Department of Justice issued guidance to clarify what constitutes sharing in order to qualify for these protections. Although the guidance offers liability protection for private entities for monitoring, it does not offer the same for operating defensive measure that go beyond monitoring.
Share or Receive Cyber Threat Observables
According to Section 104(c)(1) and subject to certain restrictions a private entity is authorized to share with or receive from the federal government, state and local governments, and other companies “cyber threat indicators” and “defensive measures” for a cybersecurity purpose. Personally identifiable information (PII) must be obfuscated or deleted before sharing. And the sharing entity must use the DHS CISA process to obtain protection.