Earlier this week, an information-sharing bill and a data breach bill passed through committee votes in the House, setting the stage for potentially significant legislative action on key cybersecurity issues in the near future. On Tuesday, the House Homeland Security Committee approved the National Cybersecurity Protection Advancement Act by a unanimous voice vote, following a markup session featuring debates over amendments regarding the bill’s liability protections and the possibility of a sunset provision. Yesterday, the House Energy & Commerce Committee held a markup session for the Data Security and Breach Notification Act, eventually approving the bill by a party-line vote of 29-20. Although the information-sharing bill is scheduled to head to the House floor for a vote next week, representatives from both parties stated that the data breach bill may need additional changes before it is brought before the full House for a vote.
The information-sharing bill, one of two recently passed out of committees in the House, would create liability protections for companies that share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. During a markup session on Monday, the representatives agreed to an amendment from Rep. John Ratcliffe (R-Texas) to prevent information shared under the bill from being used for “engag[ing] in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information.” The amendment was intended as a nod to privacy advocates who have raised concerns that the bill would create an additional source of information for the National Security Agency’s intelligence programs. The committee rejected a proposed amendment from Rep. Cedric Richmond (D-Louisiana) that would have removed the bill’s liability protections for entities that receive cyber threat information but fail to act on it, as other representatives noted that the bill needed broad liability protections to incentivize sharing. However, the committee did pass an amendment that removed the phrase “in good faith” from the bill’s liability protection language out of concern over the term’s ambiguity and the difficulty courts might face in interpreting it. The removal of this language, which was present in the bill’s liability protections for sharing cyber threat indicators or defensive measure or conducting network awareness, would require these activities to be done in strict accordance with the bill’s provisions, not just in a “good faith” attempt to comply with the bill’s provisions.
The committee also rejected a proposed amendment by Rep. Bennie Thomson (D-Mississippi) that would have added a five-year sunset provision to the bill on the grounds that a sunset provision would make the information-sharing program appear to be a temporary experiment and companies would be hesitant to participate. However, the committee did pass an amendment inserting a seven-year sunset provision for all reports mandated by the bill. In addition to this information-sharing bill, the House Intelligence Committee recently approved another information-sharing bill, the Protecting Cyber Networks Act (H.R. 1560), which would provide liability protections for companies sharing cyber threat information with civilian agencies. House leaders intend to combine the two bills and bring a single information-sharing bill to the House floor for a vote next week. The Senate Intelligence Committee has also passed an information sharing bill, the Cybersecurity Information Sharing Act (S. 754), that Senate leaders intend to bring to the floor “in the near future” for a vote.
Yesterday, the House Energy and Commerce Committee approved the Data Security and Breach Notification Act on a 29-20 party-line vote. The bill, as approved, would require entities to maintain “reasonable” security measures and practices to protect consumer data and notify consumers within 30 days after the entity determines the scope of the breach and restores the security of the system. During the markup session, significant debates occurred over the extent to which the bill should preempt existing state laws regarding information security requirements. The committee passed amendments that added email addresses, if associated with usernames and passwords, to the bill’s definition of personally identifiable information (PII) and established a cap on the Federal Trade Commission’s ability to fine first-time offenders.
Rep. Bobby Rush (D-Illinois) also offered an amendment containing a substitute bill that would have expanded the bill’s definition of PII to cover emails, health information, and geolocation information and removed the financial harm requirement in the bill’s notification obligation. Rep. Rush’s amendment also would have limited the bill’s preemption of state law and allowed for enforcement of the bill’s provisions by state attorneys general. Although the committee rejected the amendment, it was supported by Rep. Peter Welch (D-Vermont), one of the bill’s cosponsors, signaling possible Democratic discontent with the terms of the bill. Following the markup and vote, representatives from both parties pledged to continue to work on the bill to bridge some of the disagreements brought to light during the markup session. Several Representatives stated that such work should occur before the bill is brought to the House floor for a vote, indicating that the data breach bill may end up on a longer timetable than the information-sharing bill. Although a Senate version of the Data Security and Breach Notification Act (S. 177) has been introduced, it has not yet progressed through a committee vote.