Leaders of the House Intelligence Committee—Chairman Rep. Mike Rogers (R-Mich.) and ranking Democrat Rep. Dutch Ruppersberger (Md.)—introduced a bill yesterday that would shield businesses from liability for sharing information relating to cyber threats with the federal Government and other entities. The bill—H.R. 3523—is intended to promote the sharing of cyber threat intelligence among businesses and the intelligence community.
The bill, which is named the Cyber Intelligence Sharing and Protection Act of 2011, would permit cybersecurity service providers and businesses that operate their own cybersecurity systems to share information related to potential cybersecurity threats with other businesses and the federal Government. Such threats include efforts to interfere with a cybersecurity network, or threats involving the theft of “private or government information, intellectual property, or personally identifiable information.”
“Personally identifiable information” is not defined.
If information is shared under the statute, “[n]o civil or criminal cause of action shall lie” against the business making the disclosure. The bill expressly preempts state law that “restricts or otherwise expressly regulates” an activity authorized by the statute. This means that state laws prohibiting the disclosure of personal information would not apply to disclosures made under the statute. The bill also exempts information shared with the federal Government from disclosure under the Freedom of Information Act (FOIA).