For the past few years, the U.S. Congress has been marked by a deep and growing partisan divide, with few bills making it to the President’s desk for signing into law. Fortunately, cybersecurity legislation may become one of the few exceptions. Both political parties seem to recognize the gravity of increasing global cyber attacks and have responded by placing vital cybersecurity policy high on the legislative agenda.
In April, the House of Representatives demonstrated much-welcomed bipartisan unity by adopting two cybersecurity bills aimed at improving cyber information sharing between the private sector and government agencies. The National Cybersecurity Protection Advancement Act of 2015 (NCPPA) and Protecting Cyber Networks Act (PCNA) both enable private firms to share threat data—such as malware signatures, internet protocol addresses and domain names—with other companies and the federal government.
Most importantly for industry, the bills offer companies liability protection for participating in cyber threat information-sharing activities. In addition, for many Democrats voting for the legislation, the bills provide key privacy provisions. The NCPPA contains a number of provisions designed to limit the privacy impact of information sharing, including a prohibition on federal use of shared information to engage in surveillance for the purpose of tracking individuals’ personally identifiable information (PII). The PCNA requires that companies, prior to sharing information regarding a cybersecurity threat, take reasonable efforts to remove PII not related to the threat. It also imposes a similar requirement on information shared by the federal government. In addition, the bill directs the Privacy and Civil Liberties Oversight Board to report to Congress and the President every two years regarding the sufficiency of procedures to address privacy and civil liberties concerns.
After passage, the two pieces of legislation were combined into a single bill and forwarded to the Senate. Of course, it would not be the first time the House has passed major cyber legislation on to the Senate only for it to stall. But this time, it appears that Senate leadership is committed to taking action.
Republican leadership has signaled that it intends to bring a cybersecurity information sharing bill up on the Senate floor for consideration. Several Senate proposals are vying for attention, but it appears The Cybersecurity Information Sharing Act of 2015 will likely be the lead bill. While no date has been set for a Senate floor vote, many political commentators believe that there is an excellent chance Congress will actually reach consensus and adopt legislation sometime before the end of the year.
Cybersecurity information sharing is not the only cyber topic garnering increased attention from Congress. Since the passage of the first state data breach notification bill in 2003, industry has been calling for the adoption of national data breach notification legislation. But more than a decade later, 47 states have adopted their own legislation, and there still is no federal law. Industry argues that this patchwork quilt of state regulation requires a federal law imposing a single standard, but to date, there has been no significant movement towards a consensus bill.
However, 2015 has provided renewed hope. Congress often acts as a reactive body, and the recent cyber attacks on Anthem, Sony, Home Depot and Target—to name just a few—have rekindled efforts to adopt a federal data breach notification and security bill. A number of new proposals have been introduced in both the House and Senate, but there appears to be some momentum building behind H. 1770, Data Security and Breach Notification Act of 2015, having recently passed the House Energy and Commerce Committee.
A number of issues still need to be resolved – for instance, the bill’s approach to a federal preemption of existing state laws, as well as the treatment of information like what’s captured by wearable technologies and not covered by the Health Insurance Portability and Accountability Act (HIPAA). But as states continue to modify and add to their existing laws, the pressure to reach a compromise has increased.
Regrettably, the window for bipartisan support in passing cybersecurity legislation may be closing. Major legislation is not usually adopted in an election year, and the 2016 presidential campaign season is already beginning to kick into high gear. As a result, for cybersecurity legislation to make any headway, it will likely need to occur in 2015.
While there is no guarantee that Congress will take action this year, cyber may very well be an issue that transcends partisan politics. Let’s hope so because the stakes are high.
