The House of Representatives on Wednesday passed the Protecting Cyber Networks Act, aiming to shield companies sharing hacking data with each other from liability — to the chagrin of privacy advocates.
Rep. Devin Nunes (R-Calif.) said he wrote H.R. 1560 because the threat of cyber attacks has become an “urgent concern” to both the United States and businesses, considering the latest spate of high-profile breaches at Anthem, Sony, Target, and JPMorgan Chase.
“The Protecting Cyber Networks Act addresses a core problem in our digital security infrastructure: because of legal ambiguities, many companies are afraid to share information about cyber threats with each other or with the government,” Nunes said in a prepared floor statement. “If a company sees some threat or attack, this bill will allow it to quickly report the intrusion without fearing a lawsuit, so that other companies can take measures to guard against the threat.”
Three dozen privacy organizations and 19 security researchers reportedly sent a letter to lawmakers citing concerns that any bill that eases information sharing could lead to “government overreach,” according to a Bloomberg story Wednesday.
“Law enforcement would be allowed to use cyber threat indicators to investigate crimes and activities that have nothing to do with cyber security, such as robbery, arson, carjacking, or any threat of serious bodily injury or death, regardless of whether the harm is imminent,” the letter reportedly said.
H.R. 1560, which passed 307-116, would require companies to take reasonable efforts to remove names, email addresses and other personal information from data that is shared in order to receive legal protections.
A spate of industry groups reportedly sent their own letter to lawmakers supporting the bill, along with related cyber security legislation, H.R. 1731, that’s expected to be passed on Thursday.
“Our organizations believe that Congress needs to send a bill to the president that gives businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time and taking actions to mitigate cyber-attacks,” the letter reportedly said. It was signed by the U.S. Chamber of Commerce, the American Petroleum Institute, and the Telecommunications Industry Association.