Earlier this week, an information-sharing bill and a data breach bill passed through committee votes in the House, setting the stage for potentially significant legislative action on key cybersecurity issues in the near future. On Tuesday, the House Homeland Security Committee approved the National Cybersecurity Protection Advancement Act by a unanimous voice vote, following a markup session featuring debates over amendments regarding the bill’s liability protections and the possibility of a sunset provision. Yesterday, the House Energy & Commerce Committee held a markup session for the Data Security and Breach Notification Act, eventually approving the bill by a party-line vote of 29-20. Although the information-sharing bill is scheduled to head to the House floor for a vote next week, representatives from both parties stated that the data breach bill may need additional changes before it is brought before the full House for a vote.
The information-sharing bill, one of two recently passed out of committees in the House, would create liability protections for companies that share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. During a markup session on Monday, the representatives agreed to an amendment from Rep. John Ratcliffe (R-Texas) to prevent information shared under the bill from being used for “engag[ing] in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information.” The amendment was intended as a nod to privacy advocates who have raised concerns that the bill would create an additional source of information for the National Security Agency’s intelligence programs. The committee rejected a proposed amendment from Rep. Cedric Richmond (D-Louisiana) that would have removed the bill’s liability protections for entities that receive cyber threat information but fail to act on it, as other representatives noted that the bill needed broad liability protections to incentivize sharing. However, the committee did pass an amendment that removed the phrase “in good faith” from the bill’s liability protection language out of concern over the term’s ambiguity and the difficulty courts might face in interpreting it. The removal of this language, which was present in the bill’s liability protections for sharing cyber threat indicators or defensive measure or conducting network awareness, would require these activities to be done in strict accordance with the bill’s provisions, not just in a “good faith” attempt to comply with the bill’s provisions.