Returning Congress May Focus on Cybersecurity, Surveillance
Daniel R. Stoller
The 115th Congress will have a full plate of cybersecurity, email privacy, and surveillance
bills when it starts its fall term Sept. 5.
Lawmakers will be considering mandating enhanced cybersecurity protections and best
practices for companies, updating a decades-old email privacy law, and continuing
an important national security surveillance authority.
Large-scale cyberattacks in 2017 have put pressure on Congress to pass legislation
to help the public- and private-sectors ward off future attacks. Cybersecurity bills
in the House and Senate would provide more guidance to small- and medium-sized businesses
and update the Vulnerabilities Equities Process (VEP), under which federal government
officials decide whether to divulge cybersecurity exploits and inform affected companies.
- H.R. 2481 and S. 1157, the PATCH Act, would update the VEP process by making the
U.S. government more transparent and accountable when retaining and disclosing cybersecurity
vulnerabilities to agencies, intelligence organizations, or the private sector. Under
the bills, the Department of Homeland Security would serve as the head of an interagency
review board that would create new oversight mechanisms for vulnerability disclosure
and retention. The bill has gotten support from tech companies, such as McAfee Inc.
and Mozilla Corp., and privacy advocacy groups, including New America’s Open Technology
Institute and the Center for Democracy and Technology.
- H.R. 584, the Cyber Preparedness Act, would direct the Department of Homeland Security
to ensure it shares its cybersecurity information with state, local, and regional
centers. The bill would expand grants for statewide cybersecurity threat data dissemination.
- H.R. 2105, the NIST Small Business Cybersecurity Act, and S. 770, the MAIN STREET
Cybersecurity Act, would ensure that the National Institute of Standards and Technology
(NIST) updates its cybersecurity framework to provide small businesses with simplified
resources that they can more easily implement.
House: Rep. Lieu (D-Calif.) introduced H.R. 2481 May 17, and it was referred to the Committee
on Oversight and Government Reform. The House passed H.R. 584, by Rep. Donovan (R-N.Y.),
by voice vote Jan. 31, and it was referred to the Senate Committee on Homeland Security
and Governmental Affairs. The Committee on Science, Space, and Technology approved
H.R. 2105, by Rep. Webster (R-Fla.), by voice vote May 2.
Senate: Sen. Schatz (D-Hawaii) introduced S. 1157 May 17, and it was referred to the Committee
on Homeland Security and Governmental Affairs. The Commerce, Science, and Transportation
Committee approved S. 770, by Schatz, by voice vote April 5.
House: The PATCH Act, H.R. 2481, hasn’t seen any action and other legislative priorities,
such as federal surveillance authority renewal and an email privacy law overhaul,
may dampen the bill’s prospects this year. However, broad industry support and increasing
cybersecurity risks to the government and private-sector may force the House to take
up the measure. The NIST Small Business Cybersecurity Act, H.R. 2105, may see House
floor action this year because it has bipartisan support and the backing of the U.S.
Chamber of Commerce and the National Association of Federal Credit Unions.
Senate: The PATCH Act, S. 1157, also hasn’t seen action in the Senate and may face the same
fate as the House bill due to other legislative priorities. The Senate may act on
the bill if cyberattacks continue or ramp up, causing greater risks to the government
or companies. The Senate hasn’t acted on Donovan’s Cyber Preparedness Act, H.R. 584,
and it’s unclear if it will take further action this year. The MAIN STREET Cybersecurity
Act, S. 770, may see Senate floor action this year because it has bipartisan support
and the backing of the National Small Business Association, the U.S. Chamber of Commerce,
and the Information Technology Industry Council.
Administration: The Trump administration hasn’t taken a position on any of the bills.
These bills would amend the Electronic Communications Privacy Act, a 1986 law passed
before the internet and email became prevalent. They include provisions that would
require warrants for access to all stored communications except in certain limited
- A U.S. Court of Appeals for the Second Circuit decision in
Microsoft v. United States brought ECPA warrant issues to the forefront this year when the court ruled that
the Stored Communications Act—part of ECPA—couldn’t be used to compel Microsoft to
turn over emails stored on servers in Ireland without a warrant. The Second Circuit
called on Congress to update the law to better protect privacy interests and law enforcement
access to data stored abroad.
- H.R. 387 and S. 1654, the Email Privacy Act, would require warrants for access to
stored communications by eliminating an ECPA provision allowing less stringent requirements
for emails held for more than 180 days.
- S. 1657, the ECPA Modernization Act, is similar to S. 1654 but includes further protections
for historical and real-time geolocation information. It would prohibit the use of
communication and geolocation data obtained in violation of ECPA, and would require
notice within 10 days to individuals whose electronic communications were sought under
- S. 1671, the International Communications Privacy Act (ICPA), also includes the warrant
requirement for stored communications no matter where the data is stored. Under the
bill, U.S. law enforcement agencies would be able to obtain communications of foreign
nationals located outside the U.S. under certain circumstances.
- ICPA also includes language that would instruct Congress, the Department of Justice,
and the U.S. Trade Representative to pursue trade deals and other initiatives that
don’t include data localization requirements.
House: The House passed H.R. 387, by Rep. Yoder (R-Kan.), by voice vote Feb. 6, and it was
referred to the Senate Judiciary Committee.
Senate: Sen. Lee (R-Utah) introduced S. 1654 July 27 and it was referred to the Judiciary
Committee. Lee introduced S. 1657 July 27, and it was referred to Judiciary. Sen.
Hatch (R-Utah) introduced S. 1671 July 27, and it was referred to the Judiciary Committee.
Senate: S. 1654, the companion legislation to the House-passed bill, has the best chance
of advancing in the Senate this year. However, the Email Privacy Act died in the Senate
last year due to objections from Sen. Cornyn (R-Texas). The bill died after Cornyn
pushed for language that would have expanded the FBI’s use of national security letters
to access stored communications. It is unclear whether Cornyn or other senators would
try to advance such language this year.
Administration: President Trump hasn’t taken a position on any of the bills. The Department of Justice
has supported updates to ECPA, such as a requirement for email service providers subject
to U.S. jurisdiction to turn over data no matter where the provider chooses to store
it, similar to language in S. 1671. However, the DOJ hasn’t backed a specific bill
and is looking to the U.S. Supreme Court to overturn the Second Circuit’s
The Foreign Intelligence Surveillance Act (FISA) gives the National Security Agency
authority to conduct electronic and physical surveillance on foreign targets. Section
702 of the law specifically authorizes government collection of digital communications
of foreign citizens outside of the U.S. from internet service and other communications
providers. The authority is set to expire Dec. 31.
- S. 1297 would reauthorize Section 702 permanently. Lawmakers are weighing other
approaches, such as legislation that would temporarily renew the authority and add
privacy protections, but no other bills have been introduced.
- Tech companies, such as Facebook Inc., Microsoft Corp., and Alphabet Inc.'s Google,
have called for more transparency and privacy protections in the Section 702 process.
Privacy advocates, including the American Civil Liberties Union and FreedomWorks LLC,
have rallied against the Senate bill, saying it would allow the U.S. government to
conduct surveillance on U.S. citizens without a warrant.
House: No reauthorization bill has been introduced in the House.
Senate: Sen. Cotton (R-Ark.) introduced S. 1297 June 6, and it was referred to the Judiciary
House: Although no bill has been introduced, House lawmakers probably will act before the
end of the year to prevent the surveillance authority from expiring.
Senate: S. 1297 has broad support from Republicans on the Select Committee on Intelligence,
including Chairman Burr (N.C.). Democrats, including Intelligence Committee ranking
member Feinstein (Calif.) and Sen. Franken (Minn.), have argued for a sunset provision
to ensure regular review of the surveillance authority to make sure privacy protections
are maintained. Republicans and Democrats agree that FISA Section 702 is an important
surveillance tool, and the main question is likely to be whether to reauthorize it
temporarily or permanently.
Administration: President Trump has called for a “clean reauthorization” of the expiring surveillance
provisions without a sunset provision. Trump’s homeland security and counterterrorism
adviser, Tom Bossert, has also backed Cotton’s bill.
To contact the reporter on this story: Daniel R. Stoller in Washington at
To contact the editor responsible for this story: Donald Aplin at
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.