Section 6 of the bill contains liability protections, stating that “No cause of action shall lie or be maintained in any court against any private entity … for the monitoring of an information system and information under section 3(a) that is conducted in good faith in accordance with this Act and … for the sharing or receipt of a cyber threat indicator or defensive measure under section 3(c), or a good faith failure to act based on such sharing or receipt, if such sharing or receipt is conducted in good faith in accordance with this Act and the amendments made by this Act.” However, that section contains a willful misconduct provision that would negate the liability protection for actions in accordance with the bill’s provisions, and defines “willful misconduct” as “an act or omission that is taken— (A) intentionally to achieve a wrongful purpose; (B) knowingly without legal or factual justification; and (C) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.”
H.R. 1731 amends the Homeland Security Act of 2002 to provide liability protections for private companies sharing cyber threat information within the private sector and with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). As with H.R. 1560, personally identifiable information would be required to be scrubbed before a threat indicator is shared.
Both bills now head to the Senate, which is still considering its own version of cybersecurity threat information sharing legislation (the Cybersecurity Information Sharing Act (CISA), S. 754), which was reported by the Senate Intelligence Committee on March 13, 2015. A third information sharing bill, H.R. 234, remains in the offing in the House and may receive a vote later this week. Before passage of H.R. 1560, the White House issued a public statement of support for H.R. 1560 and H.R. 234, while expressing reservations that the liability protection provisions were too broad.