House Panel Passes Cyberthreat Info Sharing Bill

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/house-panel-passes-cyberthreat-info-sharing-bill-a-8106

After beating back amendments by Democratic members to limit liability
protections for businesses, the House Homeland Security Committee on April
14 unanimously approved cyberthreat information sharing legislation on a
voice vote.

The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to
the full House, where differences with another cyberthreat information
sharing measure approved by the House Intelligence Committee last month
will be worked out (see Cybersecurity Bills: Latest Developments). House
leaders indicated that the full House could vote on cyberthreat information
sharing legislation as early as next week.

In the Senate, a version of its cyberthreat information sharing bill could
come up for a vote shortly (see Senate Intel Panel OK's Info-Sharing Bill).
Senate Majority Leader Mitch McConnell included the Cybersecurity
Information Sharing Act passed last month by the Senate Intelligence
Committee as among several bipartisan bills that the Senate is "working
hard to advance."

The National Cybersecurity Protection Advancement Act of 2015, approved by
the House Homeland Security Committee, provides many of the privacy and
civil liberties protections sought by President Obama that were absent in
earlier versions of cyberthreat information sharing legislation that passed
the House and the White House had threatened to veto in the two previous
congresses (see White House Threatens CISPA Veto, Again).

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that
shared cyberthreat information processed through the National Cybersecurity
and Communications Integration Center - known as NCCIC, the Department of
Homeland Security portal - could not be used for law enforcement or
intelligence purposes. Civil liberties groups have raised concerns that
some cyberthreat information sharing bills could allow the use of collected
cyberthreat data to spy on Americans, violating their privacy and liberties.

The legislation would require private companies to remove personally
identifiable information unrelated to the cybersecurity risk before sharing
information with the NCCIC or other private entities. It would also require
the NCCIC to conduct a second scrub and destroy any personal information
that is unrelated to the cybersecurity risk before further sharing with
other government agencies or private organizations.

The aim of the cyberthreat information sharing legislation is to encourage
businesses and other private organizations to share voluntarily threat data
with the government and other businesses to mitigate damaging
cyber-attacks. But some businesses are reluctant to share the information
unless they are protected from legal actions, which led to the various
provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along
with the Obama administration, contend that the liability protections
offered to businesses in the committee's bill were too broad, providing
legal protections when not warranted. An amendment offered by Rep. Cedric
Richmond, D-La., would have removed liability protection for businesses
that received threat data but failed to act on it. "If you abide by the
provisions of this act," Richmond said, "then you're exempt from liability.
It's just that simple. Instead of adding all these other concepts to the
liability language, if we take the time to pass a bill and you abide by it,
you have liability exemption. If you don't, then you don't have exemption."

But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the
broader liability protections in the bill are aimed to get the greatest
number of businesses to participate in cyberthreat information sharing.
"Stakeholders are concerned about putting their customers or consumers at
risk, and their information at risk; they're concerned about exposing their
own sensitive business information by sharing," Ratcliffe said. "And,
they're also concerned about possibly violating federal privacy laws.
Having strong liability protection is going to be absolutely critical and
vital to the success of this bill, and the phraseology in this bill is
absolutely critical and essential to that point."

The committee voted to excise from the bill the words "in good faith"
because, as McCaul noted, the term is too ambiguous and could lead to
confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the
cyberthreat information sharing bills winding their way through Congress.
Statements of Administration Policy, such as the ones containing the
earlier veto threats, usually are issued shortly before one of the chambers
is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for
swift floor action on the legislation. "Congressional action to better
protect consumers from cyber-attacks is long overdue," said Roundtable CEO
Tim Pawlenty. "We applaud the House for addressing gaps in our nation's
cybersecurity laws and urge both chambers of Congress to quickly put a bill
on the president's desk."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!