On Wednesday, April 22, 2015, the U.S. House of Representatives passed the Protecting Cyber Networks Act ("PCNA"), which would give companies certain liability protection against potential lawsuits when sharing cyber threat data with United States government civilian agencies (such as the Treasury or Commerce Departments). On Thursday, April 23, 2015, the House then also passed a complementary measure from the Homeland Security panel, the National Cybersecurity Protection Advancement Act ("NCPAA"), which would extend liability protections to companies only when giving data to the Department of Homeland Security.
Protecting Cyber Networks Act
The PCNA originated in the House Intelligence Committee in an effort to mitigate the growing problem of cyber-attacks on U.S. networks and American businesses, and passed in a 307-116 vote. The goal of the PCNA is to increase the public-private flow of information concerning cyber threats, and encourage companies to share information regarding cyber-attacks. Under the PCNA, affected companies would provide such information to an agency other than the National Security Agency or the Department of Defense. Pursuant to the PCNA, the federal government would be able to share cyber-attack information with state and local governments, private entities, and non-federal government agencies, among others.
The bill has been met with opposition from privacy advocates, among others, who are concerned it will provide a means by which companies and government agencies could provide sensitive information to the National Security Agency (NSA) and bolster its surveillance authority. They are concerned that the entity which receives the information might still turn it over to the NSA, even though the act provides that information will not be provided to the NSA.
National Cybersecurity Protection Advancement Act
The NCPAA, which originated in the House Homeland Security Committee, was passed by a vote of 355-63. The aim of the bill is to promote the sharing of cyber-attack information between companies and with the Department of Homeland Security by providing liability protections.
One of the key differences in the bills is that the NCPAA only allows information sharing with the Department of Homeland Security while the PCNA provides companies the flexibility to choose to share cyber threat indicators or defensive measures with a number of different government agencies.
It appears that privacy advocates did not express the same concerns about this bill, likely because it has certain limitations surrounding information sharing. For example, under the NCPAA, there cannot be any federal use of shared information to track individuals’ personally identifiable information. The NCPAA also includes language that would require the Department of Homeland Security to create and annually review privacy and civil liberties policies and procedures governing the "receipt, retention, use, and disclosure" of information shared with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center in accordance with the bill.
Senate Consideration and Potential Issues
The bills were combined and sent to the Senate for consideration. However, passage in the Senate likely will not be automatic, because privacy advocates, among others, continue to voice concerns over provisions they believe are too broad. Some also believe that consumer protection advocates will oppose the bill because they do not want companies to have legal immunity for weak security practices solely because they report incidents to the government. In an effort to mitigate opposition to the liability shield, the drafters of the bills attempted to more specifically define the protections companies would have if they voluntarily share data with other companies and the federal government. This resulted in language that protects companies from liability so long as they refrain from willful misconduct and make a "good faith" effort to remove extraneous personal information and comply with the bill.
President Barack Obama recently commented that he supported the passage of both House bills, but indicated changes are needed to address issues concerning their "sweeping liability protections."
The passage of the PCNA and NCPAA by the House represent an important step in addressing increasing cybersecurity problems facing the public and private sectors. While the Senate will likely make further revisions to the legislation to address continuing privacy concerns, if it becomes law it will provide additional tools to help combat cyber-attacks.
This legislation is part of a renewed focus on privacy and data protection in the United States that began with President Obama’s State of the Union address in January. Congress is also currently considering legislation relating to more uniform data breach notification laws. Companies should pay close attention to these developments as the country heads into the next election cycle.