Following Wednesday’s approval of the Protecting Cyber Networks Act (H.R.1560) (“PCNA”), the House of Representatives passed the National Cybersecurity Protection Advancement Act (H.R. 1731) (“NCPAA”) on Thursday, a move which was view by the technology, telecommunications, and infrastructure companies as a critical compliment to the PCNA.
The NCPAA grants companies protection against liability for sharing data with the Department of Homeland Security (“DHS”) by amending the Homeland Security Act of 2002 to encourage voluntary information sharing about cyber threats, with liability protections, between and among the private sector and Federal government. Without these liability protections, companies sharing data pursuant to the PCNA could expose themselves to class actions or increased regulatory enforcement actions. Responding to privacy concerns, the NCPPA also includes numerous provisions to ensure the protection of the privacy of American citizens and ensure that shared cyber threat information is solely used for cybersecurity purposes.
Specifically, the NCPAA allows the DHS’s national cybersecurity and communications integration center (“NCCIC”) to include tribal governments, information sharing and analysis centers, and private entities among its non-federal representatives. The Act also expands the NCCIC’s functions to include global cybersecurity with international partners; requires federal and non-federal entities to take reasonable efforts to remove and safeguard information that can be used to identify specific persons and that is unrelated to cybersecurity risks or incidents prior to sharing; prohibits federal entities from using shared indicators or defense measures to engage in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information and bars the usage of such information for regulatory purposes; establishes a private cause of action for a person to bring against the federal government if a federal agency intentionally or willfully violates restrictions on the use and protection of voluntarily shared indicators or defense measures; and exempts from antitrust laws non-federal entities that, for cybersecurity purposes, share certain indicators, measures or assistance in accordance with the NCPAA.