Cybersecurity Information Sharing Act Amendments Fight Set for Thursday

The expanded manager's amendment includes language from eight of the amendments originally set for consideration, including one from Sen. Ron Wyden, D-Ore., that would require establishing procedures for “timely” notification of individuals whose information was shared in violation of S-754's privacy scrubbing rules. Inclusion of the eight amendments and additional provisions in the manager's amendment was meant to speed debate on S-754, Burr said. Wyden later blocked Burr's attempt to schedule final votes on all amendments to S-754 for Thursday, saying even with the manager's amendment “the core privacy issues are not being dealt with.”

The manager's amendment includes compromise language based on amendments from Sens. Tom Carper, D-Del., and Chris Coons, D-Del., that would allow the Department of Homeland Security to implement automatic scrubbing of personally identifiable information (PII) from information shared via the department “under certain conditions.” Feinstein pointed on the Senate floor Wednesday to the inclusion of the Carper-Coons amendment as an example of the expansion of S-754's privacy protections, saying the proposed automatic DHS filter “can do an additional scrub” of shared cyber information.

Other absorbed amendments include language from the Federal Cybersecurity Enhancement Act (S-1869), which would increase oversight of DHS’ Einstein cybersecurity program and expand the program’s scope to cover all federal agencies. Other new provisions included in the manager's amendment involve ordering new studies, including requiring departments' inspectors general to assess the cybersecurity protections on federal networks that contain PII or classified information.

Senate leaders' work to expand the scope of the S-754 manager's amendment “cleared the field” but the scope of any timing agreement made before McConnell's deadline on the debate over amendments “will really dictate how long it will take to get through” consideration of the bill, said Norma Krayem, Holland & Knight senior cybersecurity policy adviser. The Senate won't consider several of the 13 other amendments originally allowed for consideration, including Wyden's proposed amendment that would require the removal of PII from cyberthreat data shared by the private sector, since only amendments deemed germane by Senate leaders can be considered once cloture is invoked.

A revised version of an amendment from Sen. Sheldon Whitehouse, D-R.I., that would significantly expand penalties for violating the Computer Fraud and Abuse Act, is among those unlikely to get a floor vote since it was ruled non-germane. Whitehouse criticized Senate leaders Wednesday for ruling his amendment non-germane. "For some reason, the masters of the universe have gone off and had a meeting" to determine which amendments would be allowed, Whitehouse said on the Senate floor. "I think we would probably get 90 percent of this body" to support the amendment in a floor vote.

An amendment from Sen. Jeff Flake, R-Ariz., would sunset S-754 after six years and therefore subject the bill to congressional re-approval, while an amendment from Sen. Rand Paul, R-Ky., would remove access to S-754's liability protections for any company that breaks a user agreement or privacy agreement as a result of its information sharing. The Financial Services Roundtable is opposing the Flake amendment, saying in a letter to McConnell and Senate Minority Leader Harry Reid, D-Nev., Tuesday that the amendment “fails to take into consideration the infrastructure and resources that needs to be put in place for effective threat information sharing which cannot be simply turned on and off based on the inability of Congress to act.”

Sen. Chris Murphy's, D-Conn., proposed amendment to include language from the Judicial Redress Act (HR-1428/S-1600) in S-754 is also drawing renewed attention after the House passed HR-1428 Tuesday (see 1510200065). That bill, which would give citizens of countries allied with the U.S. some but not all of the same privacy protections as Americans, has been seen as crucial to bringing the European Commission and U.S. together on a new safe harbor deal following the European Court of Justice’s recent invalidation of the safe harbor agreement (see 1510160050).

It's unclear how the Senate will handle Murphy's proposed amendment, since Senate leaders didn't anticipate Tuesday that it would be ruled in order, but it could be the fastest way for the Senate to handle the bill, a tech industry lobbyist told us. The tech industry urged swift Senate passage of the bill, after House action Tuesday. The House's passage of HR-1428 does renew interest in Senate action on S-1600, but there appear to be concerns that “trying to include it in [S-754] and then trying to get it through conference could simply take too long,” Krayem said. “It could potentially be a better strategy” to move S-1600 separately.

Tech companies opposed to S-754 need to “wake up and smell the roses,” Burr said Wednesday on the Senate floor, noting that those companies' systems are the “richest depositories of data in the world” and therefore are vulnerable to attack. Apple and Dropbox joined the ranks of opposing companies Tuesday. “The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy,” Apple said in a statement.