Earlier this week, an information-sharing bill and a data breach bill passed through committee votes in the House, setting the stage for potentially significant legislative action on key cybersecurity issues in the near future.  On Tuesday, the House Homeland Security Committee approved the National Cybersecurity Protection Advancement Act by a unanimous voice vote, following a markup session featuring debates over amendments regarding the bill’s liability protections and the possibility of a sunset provision.  Yesterday, the House Energy & Commerce Committee held a markup session for the Data Security and Breach Notification Act, eventually approving the bill by a party-line vote of 29-20.  Although the information-sharing bill is scheduled to head to the House floor for a vote next week, representatives from both parties stated that the data breach bill may need additional changes before it is brought before the full House for a vote.

The information-sharing bill, one of two recently passed out of committees in the House, would create liability protections for companies that share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.  During a markup session on Monday, the representatives agreed to an amendment from Rep. John Ratcliffe (R-Texas) to prevent information shared under the bill from being used for “engag[ing] in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information.”  The amendment was intended as a nod to privacy advocates who have raised concerns that the bill  would create an additional source of information for the National Security Agency’s intelligence programs.  The committee rejected a proposed amendment from Rep. Cedric Richmond (D-Louisiana) that would have removed the bill’s liability protections for entities that receive cyber threat information but fail to act on it, as other representatives noted that the bill needed broad liability protections to incentivize sharing.  However, the committee did pass an amendment that removed the phrase “in good faith” from the bill’s liability protection language out of concern over the term’s ambiguity and the difficulty courts might face in interpreting it.  The removal of this language, which was present in the bill’s liability protections for sharing cyber threat indicators or defensive measure or conducting network awareness, would require these activities to be done in strict accordance with the bill’s provisions, not just in a “good faith” attempt to comply with the bill’s provisions.

The committee also rejected a proposed amendment by Rep. Bennie Thomson (D-Mississippi) that would have added a five-year sunset provision to the bill on the grounds that a sunset provision would make the information-sharing program appear to be a temporary experiment and companies would be hesitant to participate.  However, the committee did pass an amendment inserting a seven-year sunset provision for all reports mandated by the bill.  In addition to this information-sharing bill, the House Intelligence Committee recently approved another information-sharing bill, the Protecting Cyber Networks Act (H.R. 1560), which would provide liability protections for companies sharing cyber threat information with civilian agencies.  House leaders intend to combine the two bills and bring a single information-sharing bill to the House floor for a vote next week.  The Senate Intelligence Committee has also passed an information sharing bill, the Cybersecurity Information Sharing Act (S. 754), that Senate leaders intend to bring to the floor “in the near future” for a vote.

Yesterday, the House Energy and Commerce Committee approved the Data Security and Breach Notification Act on a 29-20 party-line vote.  The bill, as approved, would require entities to maintain “reasonable” security measures and practices to protect consumer data and notify consumers within 30 days after the entity determines the scope of the breach and restores the security of the system.  During the markup session, significant debates occurred over the extent to which the bill should preempt existing state laws regarding information security requirements.  The committee passed amendments that added email addresses, if associated with usernames and passwords, to the bill’s definition of personally identifiable information (PII) and established a cap on the Federal Trade Commission’s ability to fine first-time offenders.

Rep. Bobby Rush (D-Illinois) also offered an amendment containing a substitute bill that would have expanded the bill’s definition of PII to cover emails, health information, and geolocation information and removed the financial harm requirement in the bill’s notification obligation.  Rep. Rush’s amendment also would have limited the bill’s preemption of state law and allowed for enforcement of the bill’s provisions by state attorneys general.  Although the committee rejected the amendment, it was supported by Rep. Peter Welch (D-Vermont), one of the bill’s cosponsors, signaling possible Democratic discontent with the terms of the bill.  Following the markup and vote, representatives from both parties pledged to continue to work on the bill to bridge some of the disagreements brought to light during the markup session.  Several Representatives stated that such work should occur before the bill is brought to the House floor for a vote, indicating that the data breach bill may end up on a longer timetable than the information-sharing bill.  Although a Senate version of the Data Security and Breach Notification Act (S. 177) has been introduced, it has not yet progressed through a committee vote.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.