Senate Intel OKs Cyberthreat Sharing Bill; Bipartisan Breach Notice Bill Proposed

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

March 12 — Legislation designed to increase sharing of cybersecurity threat data by U.S. companies with each other and the government was approved March 12 by the Senate Intelligence Committee on a 14-1 vote, leaders of the panel told reporters after a markup that was closed to the public.

Under the legislation, which hasn't yet been released to the public, companies that voluntarily shared cyberthreat information with government or industry partners would receive liability protection, according to panel members. Panel leaders were optimistic the measure will soon head to the Senate floor.

Also March 12, members of the House Energy and Commerce Committee released a discussion draft (bill number unavailable) of legislation designed to establish a national data breach notification standard and preempt existing breach notice laws in 47 states and the District of Columbia.

The breach notice proposal would provide for civil penalties of up to $2.5 million per breach incident for the failure to provide notice to affected individuals.

Bill Provisions Described, Not Released 

According to a March 11 joint statement by Senate Intelligence Committee leaders, their bill is designed to provide for increased and “purely voluntary” cyberthreat data sharing by U.S. companies. The measure includes “numerous” privacy protections to prevent over-sharing or government abuses, according to the statement.

The measure narrowly defines the term “cyber threat indicator” to limit the amount of information that may be shared. In addition, the bill would restrict government use of shared information to cybersecurity and “serious crimes” and would require the removal of personal information prior to the sharing of threat indicators, the statement said.

The director of national intelligence, secretary of homeland security, secretary of defense and attorney general would be directed to develop procedures for increasing the sharing of classified and unclassified cyberthreat information to the private sector, “consistent with the protection of sources and methods,” according to the statement.

Alex Manning, senior government relations director at Arent Fox LLP in Washington, told Bloomberg BNA that private sector companies will probably be very supportive of the Senate measure, although there are details that should be closely examined once the bill language is made available.

The Senate bill apparently conflicts in significant ways with a similar proposal released by President Barack Obama in January. For example, under the White House plan, companies would receive liability protection only for cyberthreat information voluntarily shared with the Department of Homeland Security's National Cybersecurity and Communications Integration Center or industry-led “information sharing and analysis organizations” (ISAOs).

Christopher Boyer, assistant vice president of global policy at AT&T Inc., said at a March 11 USTelecom cybersecurity forum that industry leaders “think the concept of tying the liability protections to the ISAO framework is a bit limiting.”

Sponsors Confident Bill Will Move to Floor 

Senate Intelligence Committee Chairman Richard M. Burr (R-N.C.) and Vice Chairman Dianne Feinstein (D-Calif.), who collaborated on the proposal, said at a March 12 press briefing that they were encouraged about the bill's prospects, in light of the 14-1 vote.

Burr said that the vote gives him “all the confidence in the world” to go to Senate Majority Leader Mitch McConnell (R-Ky.) who would push for a vote by the full Senate as soon as possible.

Senate Homeland Security and Governmental Affairs Chairman Ron Johnson (R-Wis.) said March 6 that he would allow Senate Intelligence Committee leaders to spearhead the crafting of the cyberthreat data sharing legislation, although both panels have jurisdiction over the issue.

Wyden Dissents Over Privacy Concerns

The sole dissenting vote during the bill markup was cast by Sen. Ron Wyden (D-Ore.), who said in a March 12 statement that he voted against the bill because of privacy concerns.

“If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name,” Wyden said.

“The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security,” he said. “Strong cybersecurity legislation should make clear that government agencies cannot order U.S. hardware and software companies to build weaker products, as senior FBI officials have proposed.”

ACLU, CDT Concerned 

Gabe Rottman, legislative counsel with the American Civil Liberties Union in Washington, said that based on his review of an earlier draft of the bill circulated by Burr and Feinstein, the legislation “isn’t an information sharing bill at all.” He said in a March 12 statement to Bloomberg BNA that the bill “might as well be called Patriot Act 2.0” given the amount of personal information it would allow to be funneled to the National Security Agency.

“Private industry already has the ability to share information with itself and the government,” he said. “This bill does away with critical privacy checks, and would open the floodgates to sensitive information with little relation to cybersecurity being shared with the military and spy agencies.”

The ACLU and other groups March 2 sent a letter to Senate Intelligence Committee leaders objecting to the earlier draft of the bill.

Groups are also concerned about the lack of transparency in the Senate Intelligence Committee's discussions on the proposed legislation.

“The bill is complex, and it needs a lot of work,” Gregory Nojeim, senior counsel for the Center for Democracy and Technology in Washington, told Bloomberg BNA March 11 in advance of the markup session. “The committee’s consideration of a bill like this, which will impact the privacy of Internet users worldwide, should never be undertaken behind closed doors.”

Breach Notification Legislation

The Data Security and Breach Notification Act (bill number unavailable), which was unveiled by House Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.), would require companies that collect and maintain consumers' personal data in electronic form to employ reasonable security measures to safeguard the information and to provide notice to individuals in the event of a security breach.

The measure is set for review at a March 18 hearing before the panel's Subcommittee on Commerce, Manufacturing, and Trade, according to a March 12 statement by the sponsors.

“It’s imperative that we take action to prevent hackers’ success and provide safeguards to consumers to protect their virtual selves if and when their data is compromised,” Blackburn said.

Risk of Harm Trigger 

The proposed law contains a risk of harm trigger that would allow companies to avoid notifying individuals if “there is no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was subject to the breach of security.”

Covered entities would be required to notify individuals of a breach as “expeditiously as possible and without unreasonable delay,” but no later than 30 days after discovering the breach and taking measures to restore the integrity of the affected computer system.

If a breach affected 10,000 or more individuals, the company or government agency facing the breach would be required under the proposed law to notify the Federal Trade Commission and either the U.S. Secret Service or the Federal Bureau of Investigation.

$2.5M Civil Penalties 

The FTC and the attorneys general of the states would be authorized to enforce the proposed law. Civil penalties of up to $11,000 per day per violation, up to a maximum of $2.5 million, would be authorized.

The proposed law would specifically ban any private right of action to enforce the law.

Although the bill would preempt state breach notice statutes, a provision to preempt state common laws for breaches is still under discussion because “parties to this staff draft have not yet reached agreement on the scope of preemption and continue to discuss the issue,” according to the discussion draft.

To contact the reporter on this story: Alexei Alexis in Washington at aalexis @bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

A recent draft of the Senate cybersecurity threat data sharing bill is available at http://www.burr.senate.gov/public/_files/CISA%202015%20Discussion%20Draft.pdf.

Full text of the discussion draft of the Data Security and Breach Notification Act is available at http://op.bna.com/der.nsf/r?Open=sbay-9ujtzq.

A summary of the draft House bill is available at http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/analysis/20150312DataSecuritySummary.pdf.