Yesterday the U.S. House of Representatives passed the National Cybersecurity Protection Advancement Act (NCPAA), a bill that would provide liability protections for companies sharing cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). A related bill, the Protecting Cyber Networks Act (PCNA), was passed by the House on Wednesday and would provide similar liability protections when companies share information with civilian agencies. As we reported last week, the two bills are expected to be combined before heading to the Senate.
National Cybersecurity Protection Advancement Act
NCPAA, which originated in the House Homeland Security Committee, was passed yesterday by a vote of 355-63. The bill is designed to encourage companies to share information regarding “cyber threat indicators” and “defensive measures” with each other and with NCCIC by providing liability protections for companies that engage in such sharing for cybersecurity purposes, as well as for companies that fail to act as a result of such sharing. The bill provides similar protections for companies that engage in “network awareness,” a term defined by the bill as “to scan, identify, acquire, monitor, log, or analyze information that is stored on, processed by, or transiting an information system.” NCPAA would also permit NCCIC to share information regarding cybersecurity threats with private companies, in addition to other non-federal entities.
The bill includes a number of provisions designed to limit the privacy impact of information sharing, including a prohibition on federal use of shared information to engage in surveillance for the purpose of tracking individuals’ personally identifiable information. The bill also would require that the Department of Homeland Security establish and annually review privacy and civil liberties policies and procedures governing the “receipt, retention, use, and disclosure” of information shared with NCCIC pursuant to the bill.
Eleven amendments to the bill were adopted before the final vote, including an amendment proposed by Rep. Mick Mulvaney that would sunset the provisions of the bill after seven years. Another amendment, proposed by Rep. Jim Langevin, clarifies that the term “cybersecurity risk” does not apply to actions solely involving violations of consumer terms of service or consumer licensing agreements.
Protecting Cyber Networks Act
PCNA originated in the House Intelligence Committee and was passed Wednesday in a 307-116 vote. Like NCPAA, the purpose of PCNA is to encourage companies to share information regarding cybersecurity risks. Under PCNA, however, such information would be shared with civilian agencies rather than the Department of Homeland Security. PCNA will also allow the federal government to share information regarding cyber threats with private entities, non-federal government agencies, and state, tribal, and local governments.
The bill would require that companies, prior to sharing information regarding a cybersecurity threat, take reasonable efforts to remove personal information identifying individuals not related to the threat. It imposes a similar requirement on information shared by the federal government. In addition, the bill directs the Privacy and Civil Liberties Oversight Board to report to Congress and the President every two years regarding the sufficiency of procedures to address privacy and civil liberties concerns.
Like its Homeland Security counterpart, PCNA was amended to sunset the bill’s provisions after seven years. Other amendments adopted by the House would require reports from Government Accountability Office and the Inspector General on the effectiveness of the bill’s privacy protections.
Now that NCPAA and PCNA have passed the House, the two bills are expected to be combined before being sent to the Senate for consideration. A companion bill in the Senate, the Cybersecurity Information Sharing Act, is expected to be brought to the floor of the Senate in the near future, although that process may be delayed by a group of senators who plan to offer additional privacy-focused amendments.