House Passes Two Bills Promoting Cyber Threat Information Sharing | Practical Law

House Passes Two Bills Promoting Cyber Threat Information Sharing | Practical Law

The US House of Representatives passed the National Cybersecurity Protection Advancement Act (NCPAA), which was preceded by the passing of the Protecting Cyber Networks Act (PCNA) the previous day. The two bills seek to improve the sharing of cyber threat information between private entities and government agencies.

House Passes Two Bills Promoting Cyber Threat Information Sharing

Practical Law Legal Update 1-610-3925 (Approx. 3 pages)

House Passes Two Bills Promoting Cyber Threat Information Sharing

by Practical Law Intellectual Property & Technology
Published on 27 Apr 2015USA (National/Federal)
The US House of Representatives passed the National Cybersecurity Protection Advancement Act (NCPAA), which was preceded by the passing of the Protecting Cyber Networks Act (PCNA) the previous day. The two bills seek to improve the sharing of cyber threat information between private entities and government agencies.
On April 22 and 23, 2015, the US House of Representatives passed Protecting Cyber Networks Act (PCNA) (H.R. 1560) and National Cybersecurity Protection Advancement Act (NCPAA) (H.R. 1731). Both bills aim to facilitate and improve sharing of cyber threat information between private entities and government agencies.
The PCNA would require the Director of National Intelligence to develop procedures to promote:
  • The timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal or local governments.
  • The sharing of imminent or ongoing cybersecurity threats with such entities to prevent or mitigate adverse impacts.
The NCPAA requires the Department of Homeland Security’s National Cybersecurity and Communication Integration Center (NCCIC) to be the lead federal civilian interface for multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures and cybersecurity risks for federal and non-federal entities. It would also expand the NCCIC's functions to include:
  • Global cybersecurity with international partners.
  • Information sharing across critical infrastructure sectors, with state and major urban area fusion centers and with small and medium-sized businesses.
  • Notification to Congress regarding any significant violations of information retention or disclosure policies.
  • Notification to non-federal entities of indicators or defensive measures shared in error or in contravention of specified requirements.
  • Participation in exercises run by DHS's National Exercise Program.
Both bills:
  • Would provide companies that voluntarily share cyber threat data with the government and with each other with liability protection from customer lawsuits.
  • Include provisions aiming to ensure privacy protection of American citizens such as:
    • establishing a private cause of action that a person may use against the federal government if a federal agency intentionally or willfully violates restrictions on the use and protection of the voluntarily shared data; and
    • requiring federal agencies and private entities to take reasonable efforts before sharing data to remove and safeguard identifying information about specific people.
The NCPAA also provides private entities that share data for cybersecurity purposes with an exemption from antitrust laws.