In a pair of recent votes, the House of Representatives supported legislation that would create liability protections for companies that share with the federal government information about cyberthreats. The bills, H.R. 1560 and H.R. 1731, allow private companies to take defensive cybersecurity measures to protect their rights and property. They also allow for sharing of the information learned with federal and state agencies, and limit the manner in which those agencies can use the information. The bills were prompted in part by the belief that companies that are subject to data breaches are reluctant to share cyberthreat information with the government due to liability concerns, thereby thwarting countermeasures.
Congress tried to pass similar legislation in 2013, when a cybersecurity bill was met with a veto threat from the President and resistance in the Senate. The recent legislation provides more detailed limitations and constraints on how information can be used. Despite these revisions, it is likely that H.R. 1560 and H.R. 1731 will be met with some resistance in the Senate. Consumer advocacy groups argue that the bills insulate companies that have ineffective or insufficient security practices. In addition, groups are concerned with how customer information will be shared with and used by the government. The Electronic Frontier Foundation, for example, contends that the bills “are written broadly enough to permit your communications service providers to identify, obtain, and share your emails and text messages with the government.” Commentators are optimistic, however, that the bills ultimately will pass the Senate, even if they are subject to additional narrowing and refinements. According to some, publicity and concern about recent attacks on U.S. networks have set the stage for implementation of new legislation.