Data Protection Report - Norton Rose Fulbright

It appears that Congress and the Administration are finally prepared to collaborate on addressing cybersecurity threats facing the nation. The Administration is moving forward on its cyber threat initiative, and a recent New York Times article suggested that Congress is now prepared to enact cybersecurity legislation.

Last week, the Administration received funding from Congress to develop the capabilities of the National Cybersecurity & Communications Integration Center (NCCIC). At the same time, two House bills – the Protecting Cyber Networks Act, H.R. 1560 (PCNA) and the National Cybersecurity Protection Advancement Act of 2015, H.R. 1731 (NCPAA) – are reportedly scheduled to receive floor votes this coming Wednesday and Thursday.

Cybersecurity Bills

Both bills provide some level of liability protection for companies sharing threat information with the government, addressing a major limitation of President Obama’s Executive Order, which only encouraged the sharing of cyber-threat information. Without protection from liability, companies may be reluctant to share information, fearing lawsuits and regulatory action. In that regard, the NCPAA provides the broadest liability protection from liability – the bill would exclude from liability any sharing or failure to act based on such sharing conducted in accordance with the law, except in cases of willful misconduct. In contrast, the PCNA requires companies to act in good faith in connection with sharing or receipt of information, and failing to act based on such sharing or receipt before its exclusion from liability applies. These bills also vary in other regards, but a full comparison of the bills is beyond the scope of this post.

In the Senate, the Intelligence Committee issued a report on the Cybersecurity Information Sharing Act, S.754 (CISA) last Wednesday after the bill passed in committee 14-1 in March, and reportedly a “significant” number of senators are backing the bill. Similar to the NCPAA, the CISA would broadly exclude liability except in cases of gross negligence or willful misconduct. However, no floor action has been scheduled yet on CISA.

As these bills proceed in Congress, amendments are anticipated. However, now that there is significant national interest surrounding cybersecurity and President Obama has supported the sharing of cyber threat information, 2015 may be the year that one of these bills becomes law.

Administration’s Action

The Administration has also been active on the cybersecurity front. Last week, the Department of Homeland Security (DHS) requested $10.4 million to help develop the capabilities of the NCCIC. Although the NCCIC’s request does not refer to the receipt and sharing of cyber threat information, it is noteworthy that the NCCIC is the entity that would be charged with receiving cyber threat information under the NCPAA.

Our take

There can be no doubt that cybersecurity is a hot topic in 2015. With two cybersecurity bills fast-tracked to hit the floor in the House and one pending in the Senate, it appears that cybersecurity legislation is in the cards this year. With cyber threats continuing to mount, the Administration has also moved forward with cybersecurity initiatives in the past week, continuing its focus on cybersecurity that underpinned the Executive Orders on cybersecurity information sharing and sanctions for cyber attacks. We will be monitoring developments in this area.