House bill offers liability protection for information sharing

By Sean McCalley
Federal News Radio

The House is laying a path to a more comprehensive cybersecurity bill that focuses on information sharing, according to Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee. The next step is to build upon a previous idea to extend liability coverage to private companies, so they feel comfortable sharing sensitive data with agencies that could violate privacy laws.

McCaul said this week he’ll introduce a draft bill that provides liability protection between public and private sector entities, but for back- and-forth exchanges between separate private sector companies, too. It builds off of a previous proposal from the White House, but it takes the liability protections a little further.

“We need to create legal, safe harbors for companies to be able to exchange [cybersecurity] threat information without fear of being sued,” said McCaul, during a discussion at the Center for Strategic and International Studies.

McCaul even argued “better information sharing actually improves industry’s ability to safeguard our personal data by allowing entities to keep the prying eyes of hackers outside of our digital health records and bank accounts.”

“For instance, if a major bank falls victim to a cyber intrusion, it would not be held back from sharing details of the attack with either the government or other banks and businesses,” said McCaul. “As long as the sharing’s done through the appropriate channels, and does not compromise private information of customers and citizens.”

McCaul said he’s also working with the House Judiciary Committee to draft other standards for information sharing.

Bigger role for Homeland Security Department

The bill would also place more power in the hands of the National Cybersecurity and Communications Integration Center (NCCIC). That would further cement its status as the primary interface point between the public and private sector on cybersecurity matters. In turn, it also places the Homeland Security Department at the forefront of the information sharing side of protecting the nation’s critical infrastructure.

“The department’s key tool is [NCCIC],” said McCaul. “Last year alone, DHS estimated that it received 100,000 cyber incident reports, detected 64,000 major vulnerabilities, issued nearly 12,000 alerts or warnings, and responded to 115 major cyber incidents.”

But McCaul said NCCIC’s role should expand as the trusted go-to point for the private sector from an information sharing standpoint. He added the concept behind the program is already well-suited because it’s not a regulatory body, an enforcement program that punishes private sector companies for sharing information, nor a spy agency.

In addition to the NCCIC program, McCaul pointed to the five small-scale cybersecurity bills signed into law last year as good starting points for further progress on the cybersecurity front. Folded into all these efforts is a focus on privacy in a post-Edward Snowden era.

“He’s done great damage to advancing these policies,” said McCaul. “I would argue my bill, because privacy groups do applaud it, [that] I’ve got an easier lift in the fact that I’ve already codified the NCCIC, and all I’m doing is adding more liability protection and privacy.”


White House draft cyber order promotes voluntary critical infrastructure protections