The Rogers-Ruppersberger bill will come to the floor the week of April 23. It’s information sharing provisions are likely to be the crux of the debate on the House side. Today, the Manager’s filed a draft amendment in the nature of a substitute. Major differences:
- Throughout the bill the concept of private sector entity is expanded to include “utilities” which, after all, may be public sector entities but which ought to be within the ambit of the bill;
- The earlier version of the bill had allowed sharing of cyber threat information with anyone in the Federal government. The new version requires that Federal recipients include DHS in the loop;
- The blanket immunity from liability provided for in earlier drafts is narrowed somewhat to not protect against liability for willful misconduct;
- The purpose rules are modified so that a cyber security purpose or national security purpose must be a “significant” purpose of the sharing (a change that will remind many readers of the debate over other intelligence sharing rules);
- Government use is further limited by anti-tasking rules that prohibit the government from asking for information from the private sector affirmatively — only voluntary sharing is permitted;
- A right of action against the government for damages from intentionally or willful violations of the limitations is added; and
- Since the Privacy and Civil Liberties Oversight Board is not yet active a report from the ODNI Inspector General on privacy implications is required instead.
Overall, some modest, but significant pro-privacy changes, though likely not enough to satisfy many in the NGO community.