During a slightly truncated “cybersecurity week” in the House, lawmakers are poised to pass a pair of cyber information-sharing bills with strong bipartisan support.
But House leaders have dropped plans, for the moment at least, to consider a consumer data-breach notification bill amid signs of a likely partisan breakdown.
The Senate could take up info-sharing and breach notification within a week or two.
The information-sharing legislation would allow companies to exchange cyberthreat indicators with the government and among themselves, with related liability protection.
Industry leaders see this as the next piece in the cybersecurity policy puzzle. Businesses are willing to participate in a process of info-swapping that helps create a real-time, cyber “weather map” identifying emerging threats before they wreak havoc on companies’ computer networks.
But companies won’t fully embrace info-sharing unless they are shielded from lawsuits, regulatory and antitrust action, and disclosure under the Freedom of information Act.
Lawmakers from both parties and the White House agree on the importance of info-sharing, though differences over details have been substantial.
The White House and members of Congress have wrestled with the liability issue for several years.
Today, they appear to be extremely close to bridging their differences, even as online privacy groups — White House allies in past debates — oppose the legislation as too broad and susceptible to abuse.
Prior to this week’s floor debate, House Republican leaders had to sort out two committee-passed bills on info-sharing: one that passed the Intelligence panel in March and one cleared by the Homeland Security Committee just last week.
Rather than try to merge the bills ahead of time, both bills will get a floor vote and Homeland Security Chairman Michael McCaul, R-Texas, and Intelligence Chairman Devin Nunes, R-Calif., each get to take a victory lap.
They’ll be merged after the votes and prepared for conference with the Senate.
Beyond info-sharing, the consumer data security and breach-notification issue was propelled to the policy forefront by the attacks on Anthem, Home Depot, Target and endless others.
At the beginning of the year, it appeared this might be the easiest piece for Congress to address.
Legislation would set some kind of time requirement for companies to report breaches, it would create minimum standards for securing consumers’ data, and it would supersede 47 different state laws that companies currently must obey.
It didn’t turn out to be so easy. A bipartisan bill by Reps. Marsha Blackburn, R-Tenn., and Peter Welch, D-Vt., ended up provoking plenty of partisan rancor last week when it was marked up in the Energy and Commerce Committee.
Welch suggested that disagreements over issues such as medical records could be resolved before a floor vote. But he ended up voting against his own bill in committee, dimming its bipartisan luster.
The parties also have major differences over pre-empting stronger state notification laws such as the one in California and an emerging law in New York. And they disagree over the stringency of the security requirements.
There’s another factor: Republicans and Democrats on the House Homeland Security Committee have a history of collaboration.
Even though Homeland Security Committee members disagreed last week over an important point on liability protection for industry, they approved the info-sharing bill by voice vote. The lawmakers expressed confidence that the point could be massaged later in the process.
There’s no such “trust factor” at work in the Energy and Commerce panel, which has less history on cybersecurity issues in general.
House leaders decided late last week to pull the data-breach bill from this week’s agenda, giving lawmakers a little more time to iron out differences.
In the Senate, meanwhile, leaders only have to manage one information-sharing bill, and appear likely to skip the committee stage altogether on the consumer data-breach notification legislation.
The Senate Intelligence Committee passed an info-sharing bill on a 14-1 vote, and even earned praise from the White House for its efforts to bolster privacy protections in the measure.
At the same time, many in industry see the liability protections in the Senate bill as the gold standard on that topic.
The one vote against the bill in committee came from Sen. Ron Wyden, D-Ore., who denounced the measure as a “surveillance bill.”
Some of Wyden’s Democratic colleagues are likely to agree with that assessment, but this measure is primed for a remarkable victory whenever Majority Leader Mitch McConnell (R-Ky.) brings it to the floor.
The info-sharing bill could pull along the Senate’s version of the consumer data-breach legislation.
Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., last week introduced a data-breach bill that is likely to attract bipartisan support.
Groups including the Financial Services Roundtable and American Bankers Association immediately announced support for Carper-Blunt, a reworked version of legislation the two senators first introduced in the last Congress.
The thinking is, Carper-Blunt will be added as an amendment to the info-sharing bill on the Senate floor.
As always, differences will have to be massaged between House and Senate versions of both the info-sharing and data-breach bills.
But even this mini-cyber week in the House reveals a Congress that’s closer than ever before to passing major cybersecurity legislation.
A White House signing ceremony by Memorial Day is within the realm of possibility, a sea-change on the information-sharing issue that would’ve seemed wildly optimistic a few months ago.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
