Cyber Bill Excludes ‘Regulatory' Language Opposed by Banks

By Alexei Alexis

Dec. 16 — House and Senate negotiators reached agreement on cyberthreat data sharing legislation that includes a 10-year sunset provision and leaves out language that industry groups feared would lead to increased regulation.

The Senate in October passed a cybersecurity bill (S. 754) that conflicted with similar legislation (H.R. 1560, H.R. 1731) from the House (105 BBR 636, 11/2/15)(208 Banking Daily 208, 10/28/15). Lawmakers worked behind the scenes, without a formal conference process, to negotiate a final bill which both chambers of Congress passed Dec. 18 and President Barack Obama signed into law the same day (see related report in this section). A compromise proposal was attached to year-end omnibus spending legislation.

“It's going to be important for industry and stakeholders to go through the bill with a fine-tooth comb to make sure they understand how this process will really work at the end of the day,” Norma Krayem, co-chairman of the Data Protection and Cybersecurity Group at Holland & Knight LLP, told Bloomberg BNA.

The goal of the legislation is to boost the sharing of cyberthreat information by providing liability protection to companies that voluntarily disclose such data to the government and industry partners. Under the final bill, companies would have to remove any extraneous personal information prior to sharing cyberthreat data and the Department of Homeland Security (DHS) would be required to perform a second scrubbing.

The attorney general and secretary of homeland security would be required, within 180 days of the bill's enactment, to jointly issue and make publicly available final guidelines relating to privacy and civil liberties. Such guidelines would govern the receipt, retention, use and dissemination of cyberthreat data.

Sticking Points

A key sticking point was whether companies should strictly use DHS as the portal for sharing information with the government — which was the Senate's plan — or whether to allow data to be shared with multiple federal agencies — which was the House's approach. The compromise version establishes DHS as the portal for sharing information with the government but would authorize the president to designate an additional civilian portal if DHS turns out be inadequate.

The final bill excludes Senate language, authored by Sen. Susan Collins (R-Maine), that would have required DHS and appropriate regulatory entities to assess whether the government receives adequate information from critical infrastructure entities whose failure due to cyberattacks would cause catastrophic consequences. Banking industry groups including the American Bankers Association and the Financial Services Roundtable said in a letter last month that the provision might create “de facto” regulatory mandates and urged that the language be removed from the final legislation (105 BBR 721, 11/16/15).

Senate Intelligence Committee Vice Chairman Dianne Feinstein (D-Calif.) applauded the House-Senate agreement, calling it an important first step in the fight against cyberattacks.

“The bill encourages the voluntary sharing of cyber-threat information, both company-to-company sharing as well as between companies and the government,” she said in a statement. “This type of information sharing — with strict safeguards for private information — is key to countering cyber attacks.”

Industry Support

Getting the legislation across the finish line this year was a top priority for the Protecting America's Cyber Networks Coalition, which is made up of more than 40 industry groups, including the Financial Services Roundtable, the American Bankers Association, the American Public Power Association, Airlines for America, Global Automakers, the U.S. Chamber of Commerce, and the United States Telecom Association.

“This cyber bill is a ‘team America’ approach that will significantly improve efforts to fight cyber criminals and better protect consumer data and intellectual property,” Tim Pawlenty, president and CEO of the Financial Services Roundtable, said in a statement. “We applaud both Senate and House leaders for their efforts regarding this important cybersecurity legislation.”

Privacy Concerns

Privacy advocates worry that the legislation could become a tool for government surveillance, despite safeguards that were included.

“This cyber bill represents a shameful betrayal of what should have been an open and robust negotiation process to combine three significantly different bills into one superior product,” Robyn Greene, policy counsel at New America's Open Technology Institute, said in a statement.

Greene said lawmakers should demand that the bill be stripped from the omnibus so that the issue can be openly debated and voted on.

Rep. Adam Schiff (D-Calif.), ranking member of the House Intelligence Committee, said the bill contains the “strongest privacy protections to date,” requiring personal data to be stripped from information shared with DHS and providing narrow liability protections to protect businesses that voluntarily participate in the program.

“After several years of effort, Congress has now produced a bipartisan cyber bill that allows the private sector and government to share information about malicious intrusions to protect Americans from further harm,” Schiff said in a statement issued jointly with House Intelligence Committee Chairman Devin Nunes (R-Calif.).

Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman LLP, said there's still more work to be done, including seeing how the information sharing program will actually be constructed and whether it will be effective.

“Further, companies still have to be concerned about the possible consequences of not acting upon threat information they receive,” he told Bloomberg BNA in an e-mail. “No liability protection is offered for that, and that will likely go to the heart of any arguments on whether a company's cybersecurity program was ‘reasonable.' Still, this is good for industry and more importantly the country.”

The final bill, the Cybersecurity Act of 2015, is the product of negotiations involving the House Intelligence Committee, the House Homeland Security Committee, the House Judiciary Committee, the Senate Intelligence Committee, and the Senate Homeland Security and Governmental Affairs Committee, according to the statement from Schiff and Nunes.

To contact the reporter on this story: Alexei Alexis in Washington at

To contact the editor responsible for this story: Keith Perine at