On April 22, 2015, the U.S. House of Representatives overwhelmingly passed legislation designed to shield from liability companies that voluntarily report information regarding cyberthreats to other companies and the federal government. The Protecting Cyber Networks (PCN) Act (H.R. 1560) allows disclosure of facts related to cyberthreats so long as the disclosure does not reveal personal data. Under the PCN Act, any organization that shares this information in good faith would receive protection from private and regulatory actions, except for cases involving willful misconduct. The newly-established National Cyber Threat Intelligence Integration Center, operated under the Office of the Director of National Intelligence, would collect and disseminate information reported to the federal government.
H.R. 1560 is the first of many recent congressional cybersecurity proposals to come to a floor vote. A similar bill, the National Cybersecurity Protection Advancement Act (NCPA) of 2015 (H.R. 1731), is scheduled for consideration this week. The NCPA Act would likewise provide a safe harbor for entities that share information about cyberattacks and defensive measures, but would be administered by the Department of Homeland Security's National Cybersecurity and Communications Integration Center. If passed by the House, the NCPA Act will be combined with the PCN Act and considered together by the Senate. Both House bills parallel the Senate's own Cybersecurity Information Sharing Act of 2015 (S. 754), advanced by the Senate Intelligence Committee in March. The Senate bill reaches beyond the House measures to extend antitrust protection to companies that share information with competitors, and permits the federal government to disclose threats and other data with businesses in real time.
Past efforts to enact legislation that would promote sharing of cyberthreat information have come under fire for inadequately shielding companies from liability, and insufficiently protecting privacy and personal data. Several opponents of H.R. 1560, including some data security professionals, believe the bill fails to fully address these privacy concerns, and that the legislation should require scrubbing all personally identifiable information unnecessary to respond to a threat before sharing externally. It is unclear whether or how Congress will reconcile these pending measures.
Bass, Berry & Sims will continue to monitor and provide updates as we track cybersecurity legislation. If you have questions regarding the potential effects of this legislation, or any other cybersecurity concerns related to your organization, please contact an attorney on our Data Security & Privacy Team.