By Alexei Alexis
Dec. 16 — House and Senate negotiators reached agreement on cyberthreat data sharing legislation that includes a 10-year sunset provision and leaves out language that industry groups feared would lead to increased regulation.
The Senate in October passed a cybersecurity bill (S. 754) that conflicted with similar legislation (H.R. 1560, H.R. 1731) from the House (105 BBR 636, 11/2/15)(208 Banking Daily 208, 10/28/15). Lawmakers worked behind the scenes, without a formal conference process, to negotiate a final bill which both chambers of Congress passed Dec. 18 and President Barack Obama signed into law the same day (see related report in this section). A compromise proposal was attached to year-end omnibus spending legislation.
“It's going to be important for industry and stakeholders to go through the bill with a fine-tooth comb to make sure they understand how this process will really work at the end of the day,” Norma Krayem, co-chairman of the Data Protection and Cybersecurity Group at Holland & Knight LLP, told Bloomberg BNA.
The goal of the legislation is to boost the sharing of cyberthreat information by providing liability protection to companies that voluntarily disclose such data to the government and industry partners. Under the final bill, companies would have to remove any extraneous personal information prior to sharing cyberthreat data and the Department of Homeland Security (DHS) would be required to perform a second scrubbing.
The attorney general and secretary of homeland security would be required, within 180 days of the bill's enactment, to jointly issue and make publicly available final guidelines relating to privacy and civil liberties. Such guidelines would govern the receipt, retention, use and dissemination of cyberthreat data.
A key sticking point was whether companies should strictly use DHS as the portal for sharing information with the government — which was the Senate's plan — or whether to allow data to be shared with multiple federal agencies — which was the House's approach. The compromise version establishes DHS as the portal for sharing information with the government but would authorize the president to designate an additional civilian portal if DHS turns out be inadequate.
The final bill excludes Senate language, authored by Sen. Susan Collins (R-Maine), that would have required DHS and appropriate regulatory entities to assess whether the government receives adequate information from critical infrastructure entities whose failure due to cyberattacks would cause catastrophic consequences. Banking industry groups including the American Bankers Association and the Financial Services Roundtable said in a letter last month that the provision might create “de facto” regulatory mandates and urged that the language be removed from the final legislation (105 BBR 721, 11/16/15).
Senate Intelligence Committee Vice Chairman Dianne Feinstein (D-Calif.) applauded the House-Senate agreement, calling it an important first step in the fight against cyberattacks.
“The bill encourages the voluntary sharing of cyber-threat information, both company-to-company sharing as well as between companies and the government,” she said in a statement. “This type of information sharing — with strict safeguards for private information — is key to countering cyber attacks.”
Getting the legislation across the finish line this year was a top priority for the Protecting America's Cyber Networks Coalition, which is made up of more than 40 industry groups, including the Financial Services Roundtable, the American Bankers Association, the American Public Power Association, Airlines for America, Global Automakers, the U.S. Chamber of Commerce, and the United States Telecom Association.
“This cyber bill is a ‘team America’ approach that will significantly improve efforts to fight cyber criminals and better protect consumer data and intellectual property,” Tim Pawlenty, president and CEO of the Financial Services Roundtable, said in a statement. “We applaud both Senate and House leaders for their efforts regarding this important cybersecurity legislation.”
Privacy advocates worry that the legislation could become a tool for government surveillance, despite safeguards that were included.
“This cyber bill represents a shameful betrayal of what should have been an open and robust negotiation process to combine three significantly different bills into one superior product,” Robyn Greene, policy counsel at New America's Open Technology Institute, said in a statement.
Greene said lawmakers should demand that the bill be stripped from the omnibus so that the issue can be openly debated and voted on.
Rep. Adam Schiff (D-Calif.), ranking member of the House Intelligence Committee, said the bill contains the “strongest privacy protections to date,” requiring personal data to be stripped from information shared with DHS and providing narrow liability protections to protect businesses that voluntarily participate in the program.
“After several years of effort, Congress has now produced a bipartisan cyber bill that allows the private sector and government to share information about malicious intrusions to protect Americans from further harm,” Schiff said in a statement issued jointly with House Intelligence Committee Chairman Devin Nunes (R-Calif.).
Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman LLP, said there's still more work to be done, including seeing how the information sharing program will actually be constructed and whether it will be effective.
“Further, companies still have to be concerned about the possible consequences of not acting upon threat information they receive,” he told Bloomberg BNA in an e-mail. “No liability protection is offered for that, and that will likely go to the heart of any arguments on whether a company's cybersecurity program was ‘reasonable.' Still, this is good for industry and more importantly the country.”
The final bill, the Cybersecurity Act of 2015, is the product of negotiations involving the House Intelligence Committee, the House Homeland Security Committee, the House Judiciary Committee, the Senate Intelligence Committee, and the Senate Homeland Security and Governmental Affairs Committee, according to the statement from Schiff and Nunes.
To contact the reporter on this story: Alexei Alexis in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Keith Perine at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)