With an increasing number of high-profile data breaches in the news, both the U.S. Senate and the House of Representatives have pushed forward on several data security and privacy bills. In the recent months, lawmakers have made significant progress on cybersecurity information-sharing bills, which provide certain protections from liability for companies that share information about threats and attacks with the government and/or private organizations. This article summarizes and compares the bills as they currently stand.
Supporters of the information-sharing bills argue that companies are currently reluctant to share cyber threat information out of fear that providing such information to government bodies or private organizations could expose the companies to private causes of action or regulatory investigations. These bills are therefore meant to give companies an incentive to share cyber threat information by providing some protection for them in exchange.
Similar bills passed the House in 2012 and 2013 but failed in the Senate (and potentially faced a veto from President Obama in any case). Critics of those bills cited insufficient protections for the personally identifiable information of customers, employees, or others that might be contained in the information a company would share with the federal government. Concerns about the intelligence community’s access to such information were similarly raised. Additionally, some critics, including President Obama, have cautioned that liability protection for information sharing must not be overly broad.
Lawmakers claim they have taken such criticisms into consideration in drafting the current iterations of these bills. On April 22nd and 23rd, the House passed two slightly different information sharing bills, the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act. The two bills have been combined and sent to the Senate, which is also considering the Cybersecurity Information Sharing Act of 2015, advanced out of committee in March. A fourth bill, the Cyber Threat Sharing Act of 2015, has also been introduced in the Senate, though it has been lying dormant in committee since February. Please click here for a table summarizing the key features of each of these bills.
Whether any version of an information sharing bill passes the Senate will largely depend on whether Senators are satisfied that the privacy issues raised previously have been satisfied. President Obama has made clear that any such bill should have only “targeted, narrow” liability protections. Nevertheless, Congress and the President have both focused increasingly on cybersecurity issues in 2015. Congress is currently considering several bills on other data security and privacy topics, including federal data breach notification rules, student data privacy, and National Security Agency bulk data collection reform, and President Obama has rolled out several proposals and executive orders. Whether the increased focus on cybersecurity is enough to ensure passage of an information-sharing bill remains to be seen.