Data Protection Legislative Hot Topic

Cyberthreat Sharing Bills Gain Momentum.  On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2015 (“CISA”) to increase sharing of cybersecurity threat information by U.S. companies on a vote of 14-1. The legislation grants liability protections for companies that voluntarily share cybersecurity threat information with the government or industry partners. The measure should be scheduled for a vote on the Senate floor shortly.

The joint statement issued by members of the Senate Intelligence Committee states that the bill is designed to increase “purely voluntary” cyberthreat sharing by U.S. companies, and it includes “numerous” privacy protections to prevent government abuse. Government use of the information would be limited to cybersecurity and prevention of “serious crimes” and would require the removal of personal information. The Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General would be directed to develop procedures to increase sharing of classified and unclassified threat information.

CISA would provide broader liability protections than the White House’s proposed information sharing bill. Under the White House’s proposed bill, companies would receive liability protection only for information shared with the Department of Homeland Security’s National Cybersecurity and Communication Integration Center and with private sector information sharing and analysis organizations. Such limitations were criticized by industry, and the Senate bill appears to remedy such concerns by providing broader protection to any threat information shared with the government and industry partners.  CISA also would extend antitrust protections to companies that share information with competitors.

A week after the Senate Intelligence Committee acted on CISA, the House version, the Protecting Cyber Networks Act (“PCNA”), was unanimously approved out of the House Intelligence Committee.  Both are primed for full votes.  The House bill also provides for liability protection and a double sanitation process to where companies must make reasonable efforts to scrub shared data of personal information prior to sharing it with the government, and that the government itself must further scrub the data prior to disclosures to the NSA or DOD.  The House bill also includes explicit prohibitions on the use of the data for surveillance purposes.

The cyberthreats sharing bills still face opposition from privacy advocates, however, that feel there are still not enough protections to guard against abuse by US intelligence organizations.  For example, the only member of the Senate Intelligence Committee to vote against the bill, Senator Ron Wyden, cited privacy concerns in opposing CISA, echoing concerns that the legislation will provide greater latitude to surveillance programs.

White House releases language for omnibus consumer privacy bill.  On February 27, the White House released the language for a proposed omnibus consumer privacy bill—titled the Consumer Privacy Bill of Rights Act—that would regulate information collection and use practices.  The proposal set forth “baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”  In particular, the Bill would impose notice and consent requirements and implement other principles derived from Fair Information Practice Principles to facilitate the right for consumers to manage their personal information.

The bill focuses on public-private partnerships, industry self-regulation and existing regulatory authorities for enforcement.  It encourages the creation of privacy review boards to establish industry best practices for consumer privacy.  The bill would also allow the FTC to continue to exercise its authority under Section 5 of the FTC Act, but would bar the FTC from bringing enforcement actions against companies that implement FTC-approved codes of conduct.  The penultimate draft of the bill within the White House apparently would have moved privacy authority over telecommunications carriers from the FCC to the FTC.  Last minute agency lobbying, however, proved successful in keeping the FCC’s privacy authority intact in the President’s draft.

Already, the draft language is receiving criticisms from multiple players. Industry, privacy advocates, federal agencies, members of Congress, and EU officials have opposed language in the draft bill and expressed significant concerns. It has not yet been introduced in Congress, and given such opposition, it is unlikely the bill will find a sponsor to advance it in its present form.