U.S. House Passes Cyberthreat Information Sharing Bills

On Wednesday, April 22, 2015, the U.S. House of Representatives passed two bills that would promote cyberthreat information sharing. These steps, coupled with recent action on a federal data breach notification measure, show real progress on important aspects of privacy and data security. While some privacy advocates remain opposed to the cyberthreat sharing bills on civil liberties grounds, the House action sets the scene for further discussions with the Senate, and improved prospects for adoption of legislation this year.

First, the House voted 307–116 to pass the Protecting Cyber Networks Act (PCNA, H.R. 1560), a bill designed to allow cyberthreat information sharing between corporations and government agencies. The Office of Management and Budget (OMB) released a statement from the Obama Administration largely supporting the measure, but noting that some “improvements” would be needed. The bill provides legal liability protections for companies that share cyberthreat information with each other or with the government. After opposition from civil liberties and privacy groups, negotiators added liability protection to a company only if the data undergoes two rounds of “cleaning” personally identifiable information: one by the company and one by the government agency that receives the data.

Among other things, the bill would do the following:

• The Director of National Intelligence (DNI) would be required to write procedures to share classified and declassified cyberthreat indicators in the possession of federal agencies with private entities and other state, tribal, and local governments.
• PCNA would also explicitly allow private entities to:
  • monitor and operate defensive measures on their own networks;
  • with written authorization, monitor and operate defensive measures on other private or government entities’ networks; and
  • conduct defensive activities on information stored on, processed by, or transiting their own networks, or (with written authorization) the network of another party.
• Federal entities would be authorized to use cyberthreat information and defensive measures to:
  • protect networks and information from cybersecurity threats;
  • respond to, prosecute, or prevent or mitigate the threat of death or serious bodily harm or an offense arising from the threat;
  • respond to, or prevent or mitigate, a serious threat to a minor, including sexual exploitation and threats to physical safety; and
  • prevent, investigate, disrupt, or prosecute specified criminal offenses relating to fraud and identity theft, serious violent felonies, espionage and censorship, or trade secrets.
• Non-federal entities would be permitted to share and receive cyberthreat indicators or defensive measures with other non-federal entities and with certain designated federal entities, but not directly with the U.S. Department of Defense (DOD), including the National Security Agency (NSA), unless authorized by another applicable law or regulation.
• State, tribal, and local authorities would be permitted to use cyberthreat information and defensive measures to:
  • protect networks;
  • respond to, prosecute, prevent, or mitigate threats of death or serious bodily harm; and
  • respond to, prevent, or mitigate serious threats to minors, including sexual exploitation and threats to physical safety.
• The President would be directed to submit procedures to Congress for the receipt of cyberthreat information and defensive measures by the federal government, including real-time sharing with all appropriate federal agencies, audit capability, and sanctions for the inappropriate use of the cyberthreat information or defensive measures. A Cyber Threat Intelligence Integration Center (CTIIC) would be established under the DNI, with the primary responsibility for coordinating the sharing of threat information, threat analysis, and cyberthreat intelligence activities and strategic planning.
• The U.S. Department of Justice (DOJ) would be required to set privacy and civil liberties guidelines to govern the receipt, retention, use, and dissemination of cyberthreat indicators by federal entities, including guidelines to ensure that personal information of, or information identifying, specific persons is removed from information received, retained, used, or disseminated by a federal entity. Individuals would be authorized to bring a cause of action against the federal government if an agency intentionally or willfully violated DOJ’s privacy and civil liberties guidelines.

The Administration’s concerns with the bill include what OMB characterized as the “sweeping” liability protection measures, and the ability to use certain “potentially disruptive defensive measure in response to network incidents.” The Administration said it was committed to working with stakeholders to address its concerns. The statement noted that “[i]nformation sharing is one piece of a larger suite of legislation needed to provide the private sector, the Federal Government, and law enforcement with the necessary tools to combat cyber threats.”

The House also passed the National Cybersecurity Protection Advancement Act of 2015 (NCPAA, H.R. 1731). OMB released a statement similar to the statement issued in connection with H.R. 1560, supporting the principle of sharing of cyber-threat information, while expressing reservations about the scope of liability protection and license to take disruptive defensive measures. Among other things, the NCPAA would provide liability protections to non-federal entities (excluding state, local, or tribal governments) who, under the NCPAA, either conduct network awareness, or share cyberthreat information or defensive measures, or who fail to act based on such sharing. Antitrust laws would not bar non-federal entities from sharing cyberthreat information or defensive measures for cybersecurity purposes, or assisting others in the prevention, investigation, or mitigation of cybersecurity risks or incidents. Individuals would be allowed to sue the federal government if an agency intentionally or willfully violated restrictions on the use and protection of voluntarily shared cyberthreat information or defensive measures. The NCPAA would not permit the federal government to require a non-federal entity to provide information to a federal entity. The U.S. Department of Homeland Security (DHS) would be designated as an intermediary for sharing the electronic information.

The two measures now head to the Senate, where another bill, the Cyberthreat Information Sharing Act of 2015 (CISA, S. 754), is under consideration. The Administration’s qualified support for the measures is something of a reversal, as the Administration last year had opposed similar measures. Privacy advocates, including the American Civil Liberties Union (ACLU), the American Library Association (ALA), and the Electronic Frontier Foundation (EFF), oppose the bills, and launched a website, Stop Cyber Surveillance, calling on President Obama to veto them. However, with reports of increasing cyberthreats, including state-sponsored attacks, interest in cyber-sharing legislation remains high and prospects for enactment seem good. In contrast, the likelihood that general privacy legislation reflecting the Administration’s proposed Consumer Privacy Bill of Rights will be adopted is considerably lower.

For more information on privacy and data security requirements and developments, and other related consumer product safety issues, contact Sheila A. Millar at +1 202 434-4143 or millar@khlaw.com, or Tracy P. Marshall at marshall@khlaw.com or +1 202 434-4234. Follow privacy, advertising, and data security developments and other similar topics on Keller and Heckman’s Consumer Protection Connection blog.