Date: Apr 24, 2015
On Wednesday, April 22, 2015, the U.S. House of Representatives passed two bills that would promote cyberthreat information sharing. These steps, coupled with recent action on a federal data breach notification measure, show real progress on important aspects of privacy and data security. While some privacy advocates remain opposed to the cyberthreat sharing bills on civil liberties grounds, the House action sets the scene for further discussions with the Senate, and improved prospects for adoption of legislation this year.
First, the House voted 307–116 to pass the Protecting Cyber Networks Act (PCNA, H.R. 1560), a bill designed to allow cyberthreat information sharing between corporations and government agencies. The Office of Management and Budget (OMB) released a statement from the Obama Administration largely supporting the measure, but noting that some “improvements” would be needed. The bill provides legal liability protections for companies that share cyberthreat information with each other or with the government. After opposition from civil liberties and privacy groups, negotiators added liability protection to a company only if the data undergoes two rounds of “cleaning” personally identifiable information: one by the company and one by the government agency that receives the data.
Among other things, the bill would do the following:
The Administration’s concerns with the bill include what OMB characterized as the “sweeping” liability protection measures, and the ability to use certain “potentially disruptive defensive measure in response to network incidents.” The Administration said it was committed to working with stakeholders to address its concerns. The statement noted that “[i]nformation sharing is one piece of a larger suite of legislation needed to provide the private sector, the Federal Government, and law enforcement with the necessary tools to combat cyber threats.”
The House also passed the National Cybersecurity Protection Advancement Act of 2015 (NCPAA, H.R. 1731). OMB released a statement similar to the statement issued in connection with H.R. 1560, supporting the principle of sharing of cyber-threat information, while expressing reservations about the scope of liability protection and license to take disruptive defensive measures. Among other things, the NCPAA would provide liability protections to non-federal entities (excluding state, local, or tribal governments) who, under the NCPAA, either conduct network awareness, or share cyberthreat information or defensive measures, or who fail to act based on such sharing. Antitrust laws would not bar non-federal entities from sharing cyberthreat information or defensive measures for cybersecurity purposes, or assisting others in the prevention, investigation, or mitigation of cybersecurity risks or incidents. Individuals would be allowed to sue the federal government if an agency intentionally or willfully violated restrictions on the use and protection of voluntarily shared cyberthreat information or defensive measures. The NCPAA would not permit the federal government to require a non-federal entity to provide information to a federal entity. The U.S. Department of Homeland Security (DHS) would be designated as an intermediary for sharing the electronic information.
The two measures now head to the Senate, where another bill, the Cyberthreat Information Sharing Act of 2015 (CISA, S. 754), is under consideration. The Administration’s qualified support for the measures is something of a reversal, as the Administration last year had opposed similar measures. Privacy advocates, including the American Civil Liberties Union (ACLU), the American Library Association (ALA), and the Electronic Frontier Foundation (EFF), oppose the bills, and launched a website, Stop Cyber Surveillance, calling on President Obama to veto them. However, with reports of increasing cyberthreats, including state-sponsored attacks, interest in cyber-sharing legislation remains high and prospects for enactment seem good. In contrast, the likelihood that general privacy legislation reflecting the Administration’s proposed Consumer Privacy Bill of Rights will be adopted is considerably lower.
For more information on privacy and data security requirements and developments, and other related consumer product safety issues, contact Sheila A. Millar at +1 202 434-4143 or firstname.lastname@example.org, or Tracy P. Marshall at email@example.com or +1 202 434-4234. Follow privacy, advertising, and data security developments and other similar topics on Keller and Heckman’s Consumer Protection Connection blog.