First Cyberthreat Data Sharing Measure Passed by House With Sunset Provision

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

April 22 — The House April 22 passed legislation (H.R. 1560) to shield U.S. companies from liability risks associated with cyberthreat data sharing, after the chamber adopted a seven-year sunset amendment.

The bipartisan bill, which passed on a 307-116 vote, would provide liability protection to companies that voluntarily share “cyber threat indicators” or “defensive measures” with other private entities or a federal agency. Lawsuits stemming from the disclosure of such information would be wiped out unless there is “willful misconduct” by the company.

“As shown by the recent series of debilitating cyberattacks on U.S. companies, America’s digital networks must urgently be secured,” House Intelligence Committee Chairman Devin Nunes (R-Calif.) said in an April 22 statement.

The legislation, titled the Protecting Cyber Networks Act, was authored by Nunes and House Intelligence Committee ranking member Adam B. Schiff (D-Calif.). The committee approved the bill April 14 by voice vote in a closed markup.

The measure is expected to be merged with another cybersecurity measure (H.R. 1731) that the House passed the next day. H.R. 1731 would designate a Department of Homeland Security portal as the main hub for information sharing between private companies and the government. H.R. 1560 wouldn't designate any specific portal, a House Intelligence Committee aide told Bloomberg BNA.

The Obama administration said April 21 that it supported passage of both House bills, although it called for changes to the measures.

Surveillance Concerns 

The legislation has received strong support from industry groups, but privacy advocates have raised objections about possible use of the data sharing mechanisms to provide information to the National Security Agency.

Critics said the measure would essentially create a back-door government surveillance mechanism, allowing the National Security Agency increased access to Americans' personal data, which could then be used for purposes beyond cybersecurity. Another concern was that the bill's liability protection language was too broadly crafted and would potentially immunize negligence or recklessness.

“At a minimum, House leadership should have given House members a chance to vote on key privacy amendments” to H.R. 1560 Gregory Nojeim, director of the freedom, security and technology project at the Center for Democracy & Technology, said in an April 22 statement. “By denying the votes, they stymied a necessary debate about privacy and the extent to which internet users' personal communications information will be shared with the NSA and law enforcement under the cybersecurity umbrella.”

Privacy Protections 

Members of the Intelligence Committee defended their bill on the floor, saying that it would bolster the nation's cybersecurity while protecting privacy.

“At some point, we need to stop talking about the next Sony, the next Anthem, the next Target, the next JPMorgan Chase, and the next State Department hack, and actually pass a bill that will help ensure that there will be no next cyber attack,” Schiff said.

Rep. Terri A. Sewell (D-Ala.) said the bill includes “many more privacy protections” than the Cyber Intelligence Sharing and Protection Act (CISPA), a version approved by the House in the previous Congress.

Under H.R. 1560, companies would be required to remove any personal information before sharing cyberthreat indicators with the government. The federal agency that receives cyberthreat indicators would be required to perform a second check for personal data before sharing such indicators with other relevant federal agencies.

By voice vote, the House adopted an amendment from Rep. Sheila Jackson Lee (D-Texas) to direct the Government Accountability Office to report to Congress on the actions taken by the federal government to remove personal information from data shared. The House also accepted, by voice vote, an amendment from Rep. Tony Cárdenas (D-Calif.) to instruct the Small Business Administration to encourage sharing with small businesses and financial institutions.

Sunset Amendment 

An amendment from Rep. Mick Mulvaney (R-S.C.) to impose a seven-year sunset on the bill was adopted 313-110.

The Financial Services Roundtable issued a statement earlier in the day, saying that such an amendment would “shake the business community’s confidence in the information sharing programs.”

Senate Majority Leader Mitch McConnell (R-Ky.) has said that cybersecurity will be among his chamber's legislative priorities for the spring.

The Senate Intelligence Committee approved cyberthreat data sharing legislation (S. 754) March 12.

To contact the reporter on this story: Alexei Alexis in Washington at aalexis

To contact the editors responsible for this story: Heather Rothman at; Donald G. Aplin at

H.R. 1560, as reported in the House, is available at

Further information on the amendments to H.R. 1560 is available at

A comparison of the central provisions of H.R. 1560, H.R. 1731 and S. 754 is available in a Bloomberg Government chart at