As an update to last week’s article, Congress To Take Up Major Cybersecurity Legislation During “Cyber Week”, the House passed H.R. 1560 and H.R. 1731. These Acts will now be combined and sent as a package to the Senate.
On Wednesday, April 22, the House approved H.R. 1560, the Protecting Cyber Networks Act, in a 307-116 vote. On Thursday, April 23, the House approved H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015, in a 355-63 vote. The House approved H.R. 1560 and H.R. 1731 in order to enhance the voluntary sharing of cyber threat indicators and defensive measures between companies, and between companies and the federal government, while ensuring that privacy and civil liberties protections are respected.
To enhance the voluntary sharing of cyber threat information, the House included in the Acts a provision granting companies protection from civil liability when they are monitoring information systems and/or sharing cyber threat information. The House narrowed the scope of liability protections by shielding companies from civil liability only when they acted in good faith and in accordance with the Acts. Under H.R. 1560, liability protection will not be afforded to those companies that have engaged in willful misconduct. However, even with this language, criticism over the scope of liability protections remains. While the Obama administration supports the House passage of these Acts, on Tuesday, April 21, it noted in a Statement of Administration Policy on H.R. 1560 and in a Statement of Administration Policy on H.R. 1731 that it still has concerns about the “sweeping liability protections.” Furthermore, “improvements to the bill are needed to ensure that its liability protections are appropriately targeted to encourage responsible cybersecurity practices.” With these concerns still present, it is likely that the Senate will discuss narrowing the language even further.
As noted above, under the Acts, the House sought to enhance the voluntary sharing of cyber threat information, while ensuring that privacy and civil liberties protections remain. As a consequence, under the Acts, companies and the federal government must remove personal information of specific persons who are not directly related to the cybersecurity threat before sharing any information. In addition to this requirement, there will be periodic reports sent to Congress in order to ensure proper oversight of the federal government in regards to whether personal information is being properly scrubbed from shared data and not used for purposes unrelated to cybersecurity. For example, under H.R. 1560, the Director of National Intelligence must periodically report to Congress on the federal government’s use of the shared data, and the Privacy and Civil Liberties Oversight Board must report to Congress and the President on the sufficiency of the procedures that address privacy and civil liberties concerns.
Overall, interested parties see the passage of these Acts as progress. The question now is how the Senate will address the combined legislation and whether discussions in the Senate will be stalled due to other pressing issues.