Communications Litigation Today was a Warren News publication.
Amendments Target Data Breaches

House Subcommittee Clears National Cybersecurity and Critical Infrastructure Protection Act

The House Cybersecurity Subcommittee cleared the National Cybersecurity and Critical Infrastructure Protection Act Wednesday, sending HR-3696 on to the full House Homeland Security Committee. The bill, which had the support of both Republican and Democratic committee leaders, would codify the Department of Homeland Security’s existing public-private collaboration on cybersecurity, but would not give the agency new powers. It would also allow new liability protections for companies that deploy anti-terrorism technology to also deploy cybersecurity tech. The subcommittee cleared HR-3696 with multiple amendments, including two that dealt with concerns stemming from recent data breaches at Target and other national retailers.

The version of HR-3696 introduced Wednesday as a manager’s amendment included several policy changes aimed at clarifying and limiting perceived extensions of DHS’s cybersecurity authority. That included prohibiting the secretary of homeland security from determining the membership of sector coordinating councils that are aiding in implementation of President Barack Obama’s cybersecurity executive order. The manager’s amendment also would direct DHS to provide recommendations to Congress on streamlining information sharing agreements between the government and critical infrastructure owners and operators. The manager’s amendment also clarifies that the National Institute of Standards and Technology is leading development of the Cybersecurity Framework, with DHS providing a supporting role.

The implications of the Target data breach and other recent publicly identified data breaches are “remarkably significant,” possibly affecting a third of the U.S. population, said subcommittee Chairman Pat Meehan, R-Pa. The data breaches made it an “important time to be dealing with this kind of activity,” he said. Rep. Steve Daines, R-Mont., successfully added an amendment to HR-3696 that requires DHS to provide technical assistance to federal agencies to prevent and respond to data breaches on federal information systems that include personally identifiable information (PII). Daines’ amendment would also require federal agencies to notify the National Cybersecurity and Communications Integration Center, along with all potential victims, of any data breach involving PII within two days after a breach is discovered. Subcommittee ranking member Yvette Clarke, D-N.Y., called the amendment “very timely.”

The subcommittee also passed an amendment, offered by Rep. Scott Perry, R-Pa., that would prohibit DHS from using powers it receives from HR-3696 to monitor or collect any PII for cybersecurity purposes. Meehan said the amendment is in line with DHS’s own thinking, saying the agency “does not believe they need to be storing that kind of information,” and the full committee has worked hard to “protect the rights of every American.” Meehan and Clarke both said the American Civil Liberties Union supports HR-3696. The ACLU’s support shows the bill is both “pro-security and pro-privacy,” Meehan said. The bill “avoids the privacy and civil liberties pitfalls that plagued other cyber legislation,” Clarke said.

Clarke successfully added the language from her Homeland Security Cybersecurity Boots-on-the-Ground Act (HR-3107) to HR-3696. The full committee cleared HR-3107 and another cybersecurity workforce bill, the Critical Infrastructure Research and Development Act (HR-2952), in late October (CD Oct 30 p7). The subcommittee cleared a second amendment from Clarke, which would require that a new $20 million allocation for reorganizing DHS’s SAFETY Act office come from DHS’s general budget. Clarke said she didn’t object to the new funding, but did not want it to come strictly from DHS’s Science and Technology Directorate.

The subcommittee also cleared an amendment from Rep. Steve Horsford, D-Nev., that would ensure the reorganization of DHS’s SAFETY Act office does not impede the department from continuing to develop the anti-terror products it has traditionally created. Rep. Mike Rogers, R-Ala., withdrew an amendment that would have changed the requirements for critical infrastructure companies to seek liability protection for cybersecurity efforts. Rogers said he was concerned the language in HR-3696 would allow only critical infrastructure companies serving large metropolitan centers to seek liability protection because they would be the most “severely” affected. Clarke objected to the amendment, saying it “risks lowering the threshold” for liability protections, but offered to work with Rogers on more appropriate language as the bill progresses. Rogers said he looked forward to “finding a reasonable solution for this.”