Cybersecurity

Week ahead: House has unfinished cyber business

by Cory Bennett 04/24/15 04:18 PM ET

House lawmakers are not done just yet with their cybersecurity bills.

Now that lawmakers have approved two complementary bills that would increase the exchange of hacking data, they must get down to the task of clarifying several passages. Their work will be vital to ensuring President Obama is willing to sign the measures into law.

Together, the House’s bills would shield companies from legal liability when sharing cyber threat data with civilian government agencies, such as the Department of Homeland Security or the Treasury Department.

{mosads}The House passed both measures by wide margins this week.

Although the Obama administration gave an official thumbs up to both bills, it did so with some conditions.

The White House is worried that overly broad liability protections in the bills could give companies immunity from legal action even if they are negligent on data security.

“Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the White House said in a statement of administration policy.

Many Democrats backing the bill agree and have pledged to work on further refining the liability language.

“Current liability language in the bill could allow for protections for companies that don’t act on cyber threat indicators,” Rep. Jim Langevin (D-R.I.) told The Hill.

Langevin co-chairs the Congressional Cybersecurity Caucus and was a major proponent of both bills, speaking in favor of the measures on the floor this week.

To illustrate his point, Langevin cited the recent breach at health insurer Anthem, which exposed nearly 80 million customers’ Social Security numbers.

What if Anthem had shared information about its hackers with all the other health insurers, Langevin said, “and all the other health insurers just sat on that information and didn’t do a darn thing about it?”

Those insurers might be immune from liability under the bills, Langevin added.

“I really think that’s egregious, and I think that they should be held accountable in that respect,” he said. “It would be unconscionable not to act on information if they receive credible threat information.”

However, House lawmakers’ work won’t mean anything unless the Senate approves its companion legislation.

Any updates on the liability wording would have to be made during a conference between the two chambers.

But as of now, it appears the Senate is in no rush to get its bill, the Cybersecurity Information Sharing Act (CISA) to the floor.

Another skirmish over National Security Agency (NSA) surveillance has flared up, stalling the upper chamber’s initial plans to move CISA by the end of April.

Senate leaders now say they’ll deal with NSA reform, as well as legislation related to Iran’s nuclear program and multinational trade deals, before taking up CISA.

Privacy advocates — and some lawmakers — have long insisted Congress move first to curb the NSA’s surveillance authority before approving a cyber information-sharing bill.

They argue the current bills would shuttle more data to the spy agency.