Floor action is expected in April-May, including a House “Cyber Week”

Data breach legislation is being considered in the House

Senate

On March 12, 2015, the Senate Intelligence Committee reported out favorably S. 754, the Cybersecurity Information Sharing Act of 2015 (CISA), by a vote of 14-1. We expect this bipartisan legislation, which is co-sponsored by Chairman Richard Burr (R-NC) and Ranking Member Dianne Feinstein (D-CA), to be the main Senate vehicle for cybersecurity legislation in this session of Congress.

CISA would create additional incentives to increase sharing of cybersecurity threat information, including offering liability protections to the private sector. CISA would also authorize companies to share cyber threat indicators or defensive measures with each other or the government voluntarily, establish the Department of Homeland Security (DHS) as the primary federal portal for the private sector to share cybersecurity information, and require extensive reporting on implantation and privacy impacts.

Chairman Burr and Senate Majority Leader Mitch McConnell (R-KY) have indicated a desire to bring S. 754 to the Senate floor before the end of April 2015, but full Senate deliberation will likely be delayed due to continued delays in passing key legislation that have resulted from ongoing partisan differences generally and the press of other legislation deemed to be a higher priority. Some industry groups support CISA, but privacy and civil liberty groups, including the American Civil Liberties Union (ACLU) and the Center for Democracy and Technology (CDT), remain opposed.

House of Representatives

The House of Representatives is tentatively scheduled to hold a “Cyber Week” in April to consider legislation from the House Intelligence, Homeland Security, and Energy and Commerce Committees. House Republican leadership instructed each committee to work within their own jurisdiction in order to pass a package of complementary bills.

The House Homeland Security Committee and House Intelligence Committee will release draft information sharing bills late this week or early next week. These two bills will authorize information sharing and improve cybersecurity assets at the DHS and the National Security Administration (NSA). Like CISA, these bills will authorize companies to share cyber threat information with each other and the federal government with the DHS as the primary (but not only) portal.

The House Judiciary Committee is drafting liability language that will be included in both the House Intelligence and House Homeland Security Committee bills. Text is not yet available, but we expect it to be similar to the liability protections in S. 754.

In addition to legislation addressing information sharing and liability protections, the House Energy and Commerce Committee released a draft data breach bill co-sponsored by Rep. Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT).

Lawmakers have repeatedly failed to pass a national data breach law and it is unclear whether this legislation will overcome early criticism by privacy advocates or will have a Senate companion bill. This legislation would preempt existing state laws and create a federal uniform data security and breach notification standard. The bill would also require companies who have been breached to notify people whose data may have been stolen within 30 days. The Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a legislative hearing on March 18, 2015 to discuss how the draft bill could be improved.