House bills extend liability protections for sharing threat information

NSA surveillance reform legislation to be introduced soon

Information Sharing Legislation

This week, the House of Representatives passed H.R. 1560 and H.R. 1731, introduced by the Chairmen of the House Intelligence and Homeland Security Committees, respectively. These bills would extend liability protections to companies that voluntarily share cyber threat information with the government and other private entities.

Cyber threat information to be shared is technical information, such as software vulnerabilities, malicious code indicators, methods to conduct cyber attacks, and defensive measures used to defeat such attacks. Significant privacy protections are included in the bills, including the requirement that both the government and the private sector remove personally identifiable information before sharing and the creation of a new private right of action to sue the federal government if it misuses information shared pursuant to this Act.

The legislation also establishes the Department of Homeland Security (DHS) as the primary interface for the private sector to share information about cyber threats and specifically prohibits liability protections for sharing threat information directly with the Department of Defense (DOD) or the National Security Agency (NSA). Companies wishing to share information with the DHS will be required to enter into a standard agreement to be defined by the DHS or an individually negotiated agreement, although existing information sharing agreements will be honored.

Despite opposition from some privacy advocates, both bills received qualified White House support and passed by wide, bipartisan majorities. The Senate companion bill, S. 754, the Cybersecurity Information Sharing Act of 2015 (CISA), passed out of the Senate Select Committee on Intelligence on March 17, 2015, but has not been scheduled for a vote by the full Senate.

NSA Surveillance

Section 215 of the USA Patriot Act, which allows the government to collect business records including telephone metadata, is scheduled to expire on June 1, 2015. Despite efforts by bipartisan groups of lawmakers in both the House and Senate to limit bulk data collection, on April 22 Senate Majority Leader Mitch McConnell (R-KY) and Senate Intelligence Committee Chairman Richard Burr (R-NC) introduced a bill to reauthorize the Patriot Act through 2020 without any changes.

Members of the House Judiciary Committee plan to introduce a new version of the Freedom Act, legislation to end bulk record collection that failed to pass the Senate last year, within the next week. We expect the House to move quickly on their legislation, but the path forward in the Senate is unclear due to a lack of consensus on if and how Section 215 should be reauthorized.