Legislative Activity

Information Sharing Bills Continue to Multiply

Last week, the Senate Select Committee on Intelligence released the bill text of S. 754 – the Cybersecurity Information Sharing Act (CISA) – which previously passed out of the committee by a 14-1 vote. In response to the bill’s release, a number of privacy advocates expressed their concerns with the privacy provisions included in CISA. Most of their comments centered on their concern that the bill would expand the government’s authority to use data that is shared through the information sharing process and that the bill does not do enough to require companies to remove personal data prior to sharing it with the government. Senate Select Committee on Intelligence Chairman Richard Burr (R-NC) and Ranking Member Dianne Feinstein (D-CA) continue to emphasize the intended purpose of the bill and the compromises that were already made in the Committee’s mark-up to include stronger privacy provisions. They intend to bring the bill to the Senate floor in April.

In addition to the Senate Select Committee on Intelligence’s efforts on cybersecurity, the House Permanent Select Committee on Intelligence is also working to draft its cybersecurity information sharing legislation, which it plans to introduce in the coming weeks. The bill is likely to be similar to CISA. At the same time, House Homeland Security Committee Chairman Michael McCaul (R-TX) has stated that he plans to officially introduce cybersecurity information sharing legislation this week and move the bill to the House floor by April. A draft of the legislation began circulating among stakeholders last week. Chairman McCaul’s bill will make the U.S. Department of Homeland Security (DHS) as the main agency in charge of facilitating cyber threat information sharing between the federal government and the private sector. Additionally, his bill would also contain strong legal liability protections for companies that share information with the government. A mark-up of the bill has not been scheduled to date but could occur as early as this week.

Data Breach Bill to be Marked up this Week

This week, the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will mark up the discussion draft of its data security bill – the Data Security and Breach Notification Act of 2015. The subcommittee will meet on Tuesday afternoon to give opening statements on the bill and will reconvene on Wednesday morning to vote on the draft bill. Reps. Peter Welch (D-VT) and Marsha Blackburn (R-TN) unveiled the bill last week which would implement a 30 day requirement for companies that experience a data breach to notify consumers if their personal information may have been compromised. Several House Democrats have called the bill a “non-starter” but it is expected that this bill will successfully make it out of the subcommittee, despite the fact that a timeline for further consideration of the bill has not been announced.

This Week’s Hearings

  • Tuesday, March 24: The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will meet to give opening statements on the Data Security and Breach Notification Act of 2015.
  • Wednesday, March 25: The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will mark up the Data Security and Breach Notification Act of 2015.

Regulatory Activity

DHS Will Release Information Sharing Grant Notice

DHS announced last week that it will issue a federal funding opportunity notice in late spring in order to launch the process of selecting a nongovernmental organization that will lead the efforts to develop new industry standards for information sharing. This grant notice stems from the concepts proposed in the President’s Executive Order last month, which would create a network of Information Sharing and Analysis Organizations (ISAO) to assist in sharing cyber threat data among public and private sector partners. White House Cybersecurity Coordinator emphasized the need for ISAO standards, noting that the industry’s adoption of these standards should be driven by “market forces as opposed to a government mandate.”