Congress has been trying for several years to pass cybersecurity legislation, and the number of bills hitting the hopper has increased steadily over recent months. Nearly half a dozen bills have been introduced since January 2014 alone. Senate Intelligence Committee Chairman Dianne Feinstein (D-CA) and Vice Chairman Saxby Chambliss (R-GA) circulated another draft bill—The Cybersecurity and Information Sharing Act of 2014—last week. The recent uptick is no surprise in light of significant incidents of consumer data theft in the United States.
Like the proposed legislation before it, the draft Cybersecurity and Information Sharing Act is concerned with the theft of personal and financial information from company and government computer systems. In order to combat incidents of theft, the draft bill contains provisions that would allow for greater sharing of information among government and private sector entities. For example, the Secretary of Homeland Security would be required to timely share even classified information about cyber threats with cleared representatives of “appropriate entities.”
Private entities would also be able to constantly monitor their own systems, and those of other entities if given permission, to ferret out possible cyber threats. If a private company identifies a cyber threat, it could then engage in “countermeasures” to eliminate, prevent or minimize the threat. The draft bill does not elaborate on exactly what those “countermeasures” might include, but does contemplate that they will be executed on both private and government systems, as appropriate. In an attempt to alleviate previous concerns that data sharing would open companies up to litigation under the privacy laws, private entities engaged in monitoring and sharing information about cyber threats consistent with the proposed law would be exempt from suit.
In a joint statement regarding the release of the draft bill, Feinstein and Chambliss indicated that they have circulated the draft to “relevant parties in the executive branch, private industry and the privacy community” for comment, and that once comments are received, the pair will “consider the final legislation.” Given the uncertain timeframe for the collection of comments and introduction of a formal bill, it is unlikely that the Senate will be able to reach an agreement on a comprehensive cybersecurity bill before the end of the year. Additionally, the legislative calendar is already crowded with other priority items such as the annual appropriations process and action on tax extender provisions. Further complicating matters is the approaching 2014 mid-term elections. Nonetheless, cybersecurity does remain a priority for Congress, and additional action could take place late this year, possibly during the lame duck session.