House Panel OKs Cyberthreat Data Sharing Bill, Rejects Sunset

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Alexei Alexis

April 14 — The House Homeland Security Committee approved legislation to boost the sharing of cyberthreat data by U.S. companies, after defeating some Democratic amendments, including a proposed five-year sunset provision.

The bill (H.R. 1731), which was advanced April 14 on a voice vote, would allow dismissal of lawsuits stemming from cybersecurity-related disclosures to the Department of Homeland Security's National Cybersecurity Communications Integration Center (NCCIC) or industry partners.

“Industry needs a safe harbor where legal barriers are removed, appropriate privacy protections are in place, and companies are incentivized to be a full participant with the NCCIC,” Committee Chairman Michael McCaul (R-Texas), who introduced the bill, said at the markup.

While applauding the overall bill, committee ranking member Bennie Thompson (D-Miss.) said the measure's liability protection language might provide relief to companies that act negligently. “It only allows lawsuits where a plaintiff can prove ‘willful misconduct,' ” he said.

Sunset Amendment

A Thompson amendment to place a five-year sunset on the bill was rejected on a 10-15 party-line vote. The panel also rejected language from Rep. Cedric Richmond (D-La.), ranking member of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, to tweak liability protections in the bill.

Under the legislation, the National Cybersecurity Protection Advancement Act, liability protection would be provided to companies that voluntarily share “cyber threat indicators” or “defensive measures,” except in cases of “gross negligence or willful misconduct.” In order to obtain damages, plaintiffs would have to show by “clear and convincing” evidence that they were injured by such conduct.

Before sharing threat information, companies would be required to remove any personal data, and the NCCIC would be responsible for performing a second scrub.

A House Intelligence Committee version (H.R. 1560) was approved on March 26 in a closed markup.

Action by the full House is expected during the week of April 20, although it was not immediately clear whether the Homeland Security and Intelligence bills will be merged or taken up separately.

“We want them to be complementary and compatible,” McCaul told reporters after the markup. “Whether the vehicle is separate tracks or one is an amendment to the other—that has yet to be decided.”

House Majority Leader Kevin McCarthy (R-Calif.) April 13 expressed optimism about the chances of getting cyberthreat data sharing legislation to the president's desk this year, despite failed attempts in previous Congresses.

Senate Action

Meanwhile, Senate Majority Leader Mitch McConnell (R-Ky.) has said that cybersecurity will be among his legislative priorities for the spring. The Senate Intelligence Committee approved cyberthreat data sharing legislation (S. 754) on March 12.

Privacy advocates are concerned that such legislation may be used for surveillance purposes. A key sticking point is potential data access by the National Security Agency, which has been under fire over controversial surveillance programs.

Robyn Greene, policy counsel for the Open Technology Institute at the New America Foundation, said the McCaul bill, in some respects, takes a more narrow approach and protects privacy a “bit better” than the intelligence committee bills.

“For example, there is no requirement to automatically share information with the NSA—that's an important improvement,” Greene told Bloomberg BNA. “But like the Intelligence Committees' approach, this bill is also based on vague definitions and overbroad authorizations that could seriously threaten Americans' privacy, and its defensive measure provisions could even undermine Internet security. It would authorize sharing information, including personal information, not only about cyber threats, but also about any violation or threat of violation of law.”

Bill ‘Falls Short.'

Gregory Nojeim, senior counsel for the Center for Democracy & Technology, was disappointed.

“The House Homeland cybersecurity information sharing bill promised to be ‘the best of bunch' in terms of civil liberties protections among the information sharing bills that Congress is considering,” he told Bloomberg BNA. “But the bill falls short, and authorizes monitoring and information sharing for fighting crimes that have nothing to do with cybersecurity.”

The Homeland Security Committee's action was welcomed by the Financial Services Roundtable.

“Congressional action to better protect consumers from cyberattacks is long overdue,” FSR President and CEO Tim Pawlenty said in a statement. “We applaud the House for addressing gaps in our nation’s cybersecurity laws and urge both chambers of Congress to quickly put a bill on the President’s desk.”

To contact the reporter on this story: Alexei Alexis in Washington at aalexis @bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

Go to the House Homeland Security Committee website at http://homeland.house.gov/markup/markup-hr-national-cybersecurity-protection-advancement-act-2015.