Oct. 27 — Over the objections of privacy advocates, the Senate passed legislation that would provide legal immunity to companies that share cyberthreat data.
The Senate measure (S. 754), the Cybersecurity Information Sharing Act (CISA), must now be reconciled with similar legislation (H.R. 1560, H.R. 1731) that has been passed by the House.
“I understand the cyber bills out of the House are significantly different, and so that's going to take a little bit of work,” Senate Majority Whip John Cornyn (R-Texas) told reporters Oct. 27.
Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said a House-Senate agreement may not emerge until after Jan. 1.
“We're going to move at a very slow pace,” he told reporters after the Senate voted.
Under CISA, companies that voluntarily share cyberthreat data with government and industry partners through a portal at the Department of Homeland Security would be shielded from consumer or shareholder lawsuits. Such information also would be protected from Freedom of Information Act requests.
The Senate passed CISA 74-21 on Oct. 27, after adopting a 10-year sunset provision by voice vote and rejecting several amendments that were opposed by the bill sponsors, Burr and Senate Intelligence Committee Vice Chairman Dianne Feinstein (D-Calif.).
“We have negotiated a very delicately written piece of legislation, and any change in that that's substantive, we feel might in fact change the outcome of what this bill accomplishes,” Burr said on the floor.
Senate action on CISA had been endorsed by the White House and a wide range of business groups, including Airlines for America, the American Bankers Association, American Public Power Association, Financial Services Roundtable, Global Automakers, U.S. Chamber of Commerce and the United States Telecom Association.
Opponents have referred to the legislation as a surveillance bill in disguise that would authorize sweeping information sharing between the government and private sector.
An amendment from Sen. Patrick Leahy (D-Vt.) to strike the bill's Freedom of Information Act (FOIA) provision was rejected 37-59. An amendment from Sen. Ron Wyden (D-Ore.) that would strengthen requirements for the removal of personal information from “cyber threat indicators” before sharing was defeated 41-55. An amendment proposed by Sen. Al Franken (D-Minn.) that would clarify that a threat is any action at least “reasonably likely” to result in an unauthorized effort to adversely impact cybersecurity failed by a vote of 35-60.
Sen. Tom Cotton (R-Ark.), a supporter of the bill, unsuccessfully pushed an amendment that would have allowed companies to share cyberthreat data with the FBI and Secret Service, as well as DHS.
“This is a deal killer,” Burr said, just before the amendment was rejected 22-73.
The White House had warned in an Oct. 22 statement that it would “strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal.”
The sunset amendment was offered by Sen. Jeff Flake (R-Ariz.). A last-minute deal was reached to accept a modified Flake amendment that would raise the sunset from six to 10 years, according to Burr. The House legislation includes a seven-year sunset.
A Burr-Feinstein substitute amendment was unveiled on Oct. 20. Among other tweaks, it included Wyden language that would require procedures to notify an individual whose personal information is improperly shared or disclosed and a provision from Sen. Susan Collins (R-Maine) that would require DHS and appropriate regulatory entities to assess whether the government receives adequate information from critical infrastructure entities whose failure due to cyberattacks would cause catastrophic consequences.
The Financial Services Roundtable urged the House and Senate to swiftly reconcile their differences and get a bill to the White House for President Barack Obama's signature.
“This bill will improve efforts to defend against cyber criminals and better protect consumer financial data,” Tim Pawlenty, the association's president and chief executive officer said in a statement.
Specifically, the statement said that negotiators should address “problematic language” in the Senate bill that would create duplicative regulatory oversight for financial firms and mandatory requirements inconsistent with the voluntary nature of the legislation. A spokeswoman said this was a reference to the Collins amendment.
Norma Krayem, co-chair of the Data Protection and Cybersecurity Group at Holland & Knight LLP, said there are “subtle, yet important differences” that need to be worked out between the House and Senate going forward.
“The roles of DHS and the Office of the Director of National Intelligence and other federal agencies, including law enforcement, have to be reconciled and clarified so that the private sector and the privacy advocates understand how the process will work,” Krayem told Bloomberg BNA. “Importantly, the language around what the private sector must do prior to sharing information with the federal government is also critical, both for the private sector and for privacy advocates as well.”
To contact the reporter on this story: Alexei Alexis in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Keith Perine at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)