This week, a new cybersecurity bill was unanimously passed by the House Homeland Security Committee. The National Cybersecurity Protection Advancement (“NCPA”) Act would provide a safe harbor from civil liability to companies that share “cyberthreat indicators”, including certain customer data, with each other and with the National Cybersecurity and Communications Integration Center (“NCCIC”) at the Homeland Security Department. In order to qualify for the safe harbor, companies must ensure certain data privacy protections with respect to the data they share, including by scrubbing all personal information unrelated to a cybersecurity risk before transmitting to the NCCIC. In turn, the government is restricted in how it can use, store, and transfer the data.
The NCPA is one of three bills recently introduced in the House and Senate that seek to promote private sector data sharing on cyberthreats, which many in the industry agree would help strengthen collective national cyberdefense capabilities. But the bills, including legislation proposed by the House and Senate Intelligence Committees, may face ongoing challenges from privacy advocates.
The NCPA would establish a collaborative program under which companies could enter into contracts to provide data on cyberthreat indicators to the NCCIC. In addition to reaping the benefit of certain liability protections, companies could share information with one another and access a pool of NCCIC data to help them shore up the monitoring of cybersecurity threats to their own network. For its part, the government is only permitted to use and share the information it collects for “cyber security purposes,” though privacy advocates are concerned that this term is defined too broadly to provide a meaningful check on the use of personal data.
Momentum is growing, including from the White House, for public and private collaboration to address the growing threat of cyberattacks and espionage against US companies. As President Obama remarked during a speech at Stanford earlier this year, “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone.” However, as the president also acknowledged, information sharing must be tempered with safeguards for personal information.
Reports indicate that the NCPA will be combined with the House Intelligence Committee’s related bill and introduced on the House floor as early as next week. We will monitor the progress of this legislation, which could be a big step forward for companies seeking to better manage cybersecurity risks as long as privacy concerns can be addressed.