In the wake of huge data breaches in the last year, multiple pieces of legislation have been introduced in the past few months relating to cybersecurity and the sharing of information between public and private entities in order to combat increasingly sophisticated cyberattacks.
Yesterday, the U.S. House of Representatives passed bipartisan legislation (the Protecting Cyber Networks Act), which is the first of several bills recently introduced to pass a vote, which provides liability protections to companies for sharing cyber threat information with each other and the government. The bill allows companies to receive protection from private and governmental regulatory enforcement actions if the company shares information about cyber threats in good faith. The purpose is to urge companies to share cyber threat information and security vulnerabilities freely so the private sector and the government can learn of new threats and combat them in a timely manner. Companies have been reticent to share details about security incidents for fear of reprisal, including lawsuits and enforcement actions based on the theory that their security is lacking or deficient. However, it is difficult to combat cyber threats uniformly and precisely if each company is experiencing the same threat, and trying to respond to it individually. If companies share their information freely without reprisal, then private industry and the government will be able to investigate the cyber threat and provide best practices to avoid and/or respond to it.
The bill gives the national Cyber Threat Intelligence Integration Center the authority to take the lead in collecting, maintaining and sharing cyber threat information. Although the concept is logical, there continues to be criticism of the bill, particularly around providing appropriate protections for the sharing of identifiable personal information of consumers. On Tuesday, more than 50 civil liberties organizations and security experts urged legislators to reject the legislation arguing that the sharing of information threatens the privacy of U.S. citizens. They note also that due process rights will be violated by allowing multiple law enforcement agencies to use information gathered from private industry for investigations that are not related to cybersecurity efforts.
We will continue to watch pending cybersecurity legislation and update you on developments in this area.