Overcoming the opposition of privacy advocates concerned about government surveillance, the U.S. Senate on October 27 passed legislation (S. 754) to provide legal immunity to companies that share cyberthreat data. Under the measure, companies that voluntarily share cyberthreat data with government and industry partners through a portal at the Department of Homeland Security (DHS) would be shielded from consumer or shareholder lawsuits. In addition, such information would be protected from Freedom of Information Act requests.
“We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target, and Sony hacks,” said Senator Richard Burr (R-NC), the bill’s sponsor. “This legislation gives the government and U.S. companies new voluntary collaborative tools so that they can work together against hackers that have been all too successful at stealing the personal information of millions of Americans for years.”
Before passing the bill, the Senate adopted several amendments to address privacy concerns, including a 10-year sunset of the data-sharing authorization, directing the government to notify individuals if their personal information is inadvertently shared with cyberthreat data, and imposing several reporting requirements on federal agencies.
Nonetheless, opponents still contend that the legislation has flaws that provide back-door surveillance capabilities that would allow the government to continue to collect massive amounts of information on private citizens.
“The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities,” said Mark Jaycox, a legislation analyst with the Electronic Frontier Foundation, in a blog post. “The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.”
Despite a bipartisan 74-21 vote, the legislation is likely to take several months to be finalized and sent to the White House for President Barack Obama's signature. The bill must be reconciled with similar legislation (H.R. 1731) passed by the House of Representatives in April. The two bills are similar in that they both create incentives for businesses to share real-time threat information with the government. However, the House bill would allow companies to share data with multiple federal agencies. The Senate bill provides liability protection only for data that is shared with DHS, but then allows DHS to disseminate the data to other public and private sector entities after it has been scrubbed of personal information.
In a Statement of Administration Policy released prior to Senate passage of the bill, the White House said it favors the Senate approach to supplying private-sector data only to DHS. “In order to ensure a focused approach and to facilitate streamlined information sharing while ensuring robust privacy protections, the Administration will strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal,” the statement said.
The Senate bill was also endorsed by a wide range of business organizations, including the U.S. Chamber of Commerce, the American Bankers Association, Airlines for America, and the United State Telecom Association.