Nov 92015

Senate Passes Cybersecurity Legislation, Differences to be Worked Out with House Bills

Clayton G. Northouse, Alan Charles Raul and Grady Nye
, , , , , ,

On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.

The purpose of CISA is to provide enhanced sharing of information relating to cybersecurity threats between the private sector and the federal government. The Senate and House bills provide:

  • A mechanism for information sharing coordinated by a federal agency;
  • Authorization for private entities to undertake such sharing and defensive cyber actions; and
  • Liability protections for actions that qualify as information sharing or specific actions undertaken to defend or monitor corporate networks and protections against disclosure under FOIA.

There are differences between the Senate and House bills that need to be worked out in order to clarify the ultimate effects of the legislation and clear its pathway to becoming law. One major area for continued debate may relate to privacy protections, where several failed amendments received significant support in the Senate and backing from tech companies, but were not reflected in the Senate bill as passed.  Vocal advocacy from privacy and civil liberties groups may continue to make this a focus during the conferencing process.

Key differences between CISA and the House bills include:

  • Privacy protections: The House bills provide that entities shall, prior to sharing information, “take reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risk or incident and to safeguard information that can be used to identify specific persons from unintended disclosure or unauthorized access or acquisition.” H.R. 1731 § 3 (i)(3)(c). In contrast, CISA specifies that entities shall, prior to sharing information, “review such cyber threat indicator to assess whether such cyber threat indicator contains any information that the entity knows at the time of sharing to be personal information or information that identifies a specific person not directly related to a cybersecurity threat and remove such information; or to implement and utilize a technical capability configured to remove [any such information]. . .” S. 754 (d)(2)(A and B). Privacy advocates and businesses will have differing views over the appropriate standards of protection that personal information should receive in the voluntary information sharing regime, especially as information sharing becomes common practice.  Importantly, the House’s “reasonable efforts” standard may expose businesses to liability for information sharing as is a standard that can be interpreted by the courts.  The potential of exposure to liability may serve to limit corporations from conducting the very information sharing the bill seeks to further.
  • Information sharing mechanisms: Another key difference is relates to how information would be shared with the government. Under the House bills, companies would be able to share information with multiple federal agencies. But in the Senate version, CISA would establish a portal at DHS, and DHS could then disclose the information to other agencies or to the private sector only after taking steps to ensure that personal information had been removed.
  • Determination of adequacy: CISA would require DHS and other agencies to determine whether certain critical infrastructure entities have provided sufficient and adequate information. The Secretary of DHS would be required, in conjunction with the appropriate agency regulating the covered entity, to develop strategies to address the cybersecurity of each covered entity. These strategies would include an assessment of whether each entity should be required to report cyber security incidents and a description of any identified security gaps that must be addressed. The House bills do not include such requirements. Some industry proponents have raised concerns that such a requirement would create duplicative regulatory oversight, establish a path towards mandatory reporting, and further complicate compliance efforts.
  • Healthcare cybersecurity: CISA requires the Department of Health and Human Services to report on cybersecurity and directs the Department to develop cybersecurity standards for healthcare information. Such provisions are not included in the House bills and will have to be worked out in conference but appear to be supported by elements of the healthcare industry.
  • Sunset: CISA has a ten-year sunset. The House bills have seven-year sunset provisions. This difference will be addressed in the conferencing process.

Provisions like these will be important to watch as the legislation makes its way toward becoming law. The White House has urged Congress to move “expeditiously,” but Senator Burr has already declared that the conference process is likely to “move at a very slow pace.”

Clayton G. Northouse

cnorthouse@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Grady Nye

gnye@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.