Oct. 27 — Over the objections of privacy advocates, the Senate passed legislation that would provide legal immunity to companies that share cyberthreat data.
The Senate measure (S. 754), the Cybersecurity Information Sharing Act (CISA), must now be reconciled with similar legislation (H.R. 1560, H.R. 1731) that has been passed by the House.
“I understand the cyber bills out of the House are significantly different, and so that's going to take a little bit of work,” Senate Majority Whip John Cornyn (R-Texas) told reporters Oct. 27.
Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said a House-Senate agreement may not emerge until after Jan. 1.
“We're going to move at a very slow pace,” he told reporters after the Senate voted.
Under CISA, companies that voluntarily share cyberthreat data with government and industry partners through a portal at the Department of Homeland Security would be shielded from consumer or shareholder lawsuits. Such information also would be protected from Freedom of Information Act requests.
The Senate passed CISA 74-21 on Oct. 27, after adopting a 10-year sunset provision by voice vote and rejecting several amendments that were opposed by the bill sponsors, Burr and Senate Intelligence Committee Vice Chairman Dianne Feinstein (D-Calif.).
“We have negotiated a very delicately written piece of legislation, and any change in that that's substantive, we feel might in fact change the outcome of what this bill accomplishes,” Burr said on the floor.
Senate action on CISA had been endorsed by the White House and a wide range of business groups, including Airlines for America, the American Bankers Association, American Public Power Association, Financial Services Roundtable, Global Automakers, U.S. Chamber of Commerce and the United States Telecom Association.
Opponents have referred to the legislation as a surveillance bill in disguise that would authorize sweeping information sharing between the government and private sector.
An amendment from Sen. Patrick Leahy (D-Vt.) to strike the bill's Freedom of Information Act (FOIA) provision was rejected 37-59. An amendment from Sen. Ron Wyden (D-Ore.) that would strengthen requirements for the removal of personal information from “cyber threat indicators” before sharing was defeated 41-55. An amendment proposed by Sen. Al Franken (D-Minn.) that would clarify that a threat is any action at least “reasonably likely” to result in an unauthorized effort to adversely impact cybersecurity failed by a vote of 35-60.
Sen. Tom Cotton (R-Ark.), a supporter of the bill, unsuccessfully pushed an amendment that would have allowed companies to share cyberthreat data with the FBI and Secret Service, as well as DHS.
“This is a deal killer,” Burr said, just before the amendment was rejected 22-73.
The White House had warned in an Oct. 22 statement that it would “strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal.”
The sunset amendment was offered by Sen. Jeff Flake (R-Ariz.). A last-minute deal was reached to accept a modified Flake amendment that would raise the sunset from six to 10 years, according to Burr. The House legislation includes a seven-year sunset.
A Burr-Feinstein substitute amendment was unveiled on Oct. 20. Among other tweaks, it included Wyden language that would require procedures to notify an individual whose personal information is improperly shared or disclosed and a provision from Sen. Susan Collins (R-Maine) that would require DHS and appropriate regulatory entities to assess whether the government receives adequate information from critical infrastructure entities whose failure due to cyberattacks would cause catastrophic consequences.
The Financial Services Roundtable urged the House and Senate to swiftly reconcile their differences and get a bill to the White House for President Barack Obama's signature.
“This bill will improve efforts to defend against cyber criminals and better protect consumer financial data,” Tim Pawlenty, the association's president and chief executive officer said in a statement.
Specifically, the statement said that negotiators should address “problematic language” in the Senate bill that would create duplicative regulatory oversight for financial firms and mandatory requirements inconsistent with the voluntary nature of the legislation. A spokeswoman said this was a reference to the Collins amendment.
Norma Krayem, co-chair of the Data Protection and Cybersecurity Group at Holland & Knight LLP, said there are “subtle, yet important differences” that need to be worked out between the House and Senate going forward.
“The roles of DHS and the Office of the Director of National Intelligence and other federal agencies, including law enforcement, have to be reconciled and clarified so that the private sector and the privacy advocates understand how the process will work,” Krayem told Bloomberg BNA. “Importantly, the language around what the private sector must do prior to sharing information with the federal government is also critical, both for the private sector and for privacy advocates as well.”
To contact the reporter on this story: Alexei Alexis in Washington at email@example.com
To contact the editor responsible for this story: Keith Perine at firstname.lastname@example.org
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)