Senate Delays Cybersecurity Bill Action Until Fall

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

Aug. 5 — The Senate Aug. 5 postponed until the fall action on cybersecurity legislation designed to encourage public-private threat information sharing, after Majority Leader Mitch McConnell's (R-Ky.) effort to quickly move the bill before the August recess fell apart.

The delay is a temporary victory for privacy advocates, who have criticized the bill (S. 754) as a potential government surveillance tool. The outlook for passage in the fall is uncertain, given that senators still have unresolved issues to work through and the legislation will have to compete with many other pressing matters.

“Once again, those who value Americans’ privacy more than political expediency have made sure this harmful, misguided bill won’t sail through the Senate without meaningful debate,” Sen. Ron Wyden (D-Ore.) said in a statement.

He said the decision to postpone action “gives us more time to mobilize against this cyber-surveillance bill and to persuade Congress to take up legislation that will actually improve Americans’ security, while also protecting their privacy.”

The legislation, authored by Senate Intelligence Chairman Richard Burr (R-N.C.) and Committee Vice Chairman Dianne Feinstein (D-Calif.), would shield U.S. companies from lawsuits stemming from the disclosure of cybersecurity incidents to government and industry partners.

Procedural Vote Canceled 

A procedural vote scheduled for Aug. 5 was canceled at the last minute, and McConnell instead took to the Senate floor in the late afternoon to announce a unanimous consent agreement allowing him to call up the bill after recess “at a time of his choosing.” But the Senate's first order of business when it reconvenes in September will be voting on a resolution to reject the Iran nuclear agreement.

“With this agreement, we've set up expedited consideration of the cyber bill and the Iran resolution,” McConnell said.

The White House had urged the Senate to take up and pass the cybersecurity bill as soon as possible. The legislation was also backed by leading U.S. trade groups, such as the Financial Services Roundtable, whose members include Bank of America, Visa Inc. and JP Morgan Chase & Co.

But a large number of senators—both Republicans and Democrats—wanted to amend the bill, dimming McConnell’s hopes for swift passage. As many as 90 potential amendments had been filed by Aug. 5.

The deal reached by McConnell and Minority Leader Harry Reid (D-Nev.) allows up to 21 amendments—10 Republican and 11 Democratic—to be offered and made pending. Burr will be allowed to offer a substitute amendment that he drafted with Feinstein.

The agreement also includes amendments from Senate Republicans Rand Paul (Ky.), Tom Cotton (Ark.), Dean Heller (Nev.) and Jeff Flake (Ariz.), as well as Democrats Patrick J. Leahy (Vt.), Al Franken (Minn.) and Wyden.

Tight Fall Schedule

Although senators may eventually reach agreement on cybersecurity legislation this year, it is unlikely to happen before October, according to Alex Manning, senior government relations director at Arent Fox LLP, in Washington.

“Between appropriations, the Iran deal and highway funding, they won’t have time,” Manning, a former House aide, told Bloomberg BNA. “The best thing that will come out of this week is a better idea of where senators are and what they want for amendments. Now that Burr, McConnell and Feinstein have something on paper, they can start making deals.”

Andrew Howell, a partner at the Monument Policy Group in Washington, agreed that passage of the cybersecurity bill in September is unlikely.

“September is shaping up to be a busy month, so adding one more issue to the agenda seems pretty tough,” he told Bloomberg BNA. “And given the difficulty we have seen on coming to agreement on relevant amendments makes it likely that addressing cyber will take some time.”

Blame Game

McConnell spokesman Don Stewart blamed Democrats for the Senate's failure to get a bill passed before recess. He said they stalled the process, but in the end relented and essentially agreed to a McConnell amendment proposal that they had rejected just a day before.

But Adam Jentleson, a spokesman for Reid, said that McConnell was struggling with problems on his own side.

“If he had offered an agreement for a reasonable number of amendment votes followed by passage, Democrats would have consented and the bill could have passed in a timely fashion,” he told Bloomberg BNA. “But Senator McConnell couldn’t clear any such agreement with his fellow Republicans.”

In addition, he said that Democrats see a big difference between McConnell's initial offer and the one that they ultimately accepted.

“What was accepted today is that today’s agreement is just the starting point for consideration of amendments whenever he brings it back up,” Jentleson said. “The offer yesterday was to make amendments pending and then try to jam us with passage quickly, using the recess as a backstop. In that scenario, it was unlikely any amendments would receive votes. Under today’s agreement, we’ll get on the bill with 21 amendments pending and go from there. Hopefully we will have a reasonable amount of time to work through amendments and hold votes—but we won’t have our backs up against the August recess.”

Republican Revolt?

During an Aug. 5 meeting, McConnell tried to persuade members of his caucus to stay in town and finish the cybersecurity bill, but they revolted, according to a Democratic aide. Stewart said he “seriously doubts” the accuracy of that claim.

Ann Beauchesne, senior vice president for emergency preparedness at the U.S. Chamber of Commerce, called on the Senate to swiftly take up and pass the legislation after recess.

“The Senate may have left town without passing cybersecurity legislation, but the need for it remains,” she said in a statement. “Cyberattacks are being launched on a daily basis from various sources, and CISA would help companies achieve timely and actionable situational awareness, which will improve the business community, and the nation’s detection, mitigation and response capabilities.”

To contact the reporter on this story: Alexei Alexis in Washington at aalexis @bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com