WASHINGTONÂ â€” Final passage of legislationÂ to thwart hack attacks is beingÂ delayedÂ asÂ lawmakers clashÂ over how bestÂ to protect the privacy ofÂ Americans’ personal information.
CongressÂ passed three different versions ofÂ cybersecurityÂ legislation this year in the wake of high-profile hacks ofÂ U.S. companies and the federal government, including the massive attack on the U.S. Office of Personnel Management that compromised the personal data of more than 21 million federal employees, job applicants and their families. Other major hacksÂ targeted Sony Entertainment, Home Depot, JPMorgan Chase, Target, T-Mobile and the Internal Revenue Service.
Despite widespread agreement in Congress on the need to pass a cybersecurity bill, a final compromise on the legislation is taking longer than expected amid disagreements over which piece of legislation has the strongest privacy provisions.
Lawmakers are under pressure from theÂ U.S. Chamber of Commerce and other business groups to pass a bill immediately while some privacy advocates are urgingÂ CongressÂ to scrap the legislation entirely.
Senators voted 74-21 in October to approve theÂ Cybersecurity Information Sharing Act, which encourages private companies to voluntarily share cyber threat information with the government and one another. The bill, by Senate Intelligence Committee Chairman Richard Burr, R-N.C., and Vice ChairmanÂ Dianne Feinstein, D-Calif., gives companies immunity from lawsuits byÂ shareholders and consumers forÂ sharing the information.
Since then, aides forÂ the Senate Intelligence Committee have been negotiating with House staffers to try to combine that billÂ with two separate pieces of cybersecurity legislation passed by the House in April.
Supporters of cybersecurityÂ legislation are hoping to bring a final bill to a vote in the House and Senate beforeÂ Congress adjourns for the year, which should happenÂ sometime next week. There has been talk that the cyber billÂ could be tacked onto a massive omnibus spending bill to keep the federal government operating through fiscal 2016.
“It’sÂ either this scenario or we wait until early 2016, and chamber members definitely prefer seeing passage sooner rather than later,”Â said Matthew Eggers, senior director ofÂ the National Security and Emergency Preparedness Department at the U.S. Chamber of Commerce. “The cyber bill wonâ€™t stop all attacks, but it will help organizations better protect the Internet and their own information systems by knocking down barriers to sharing and receiving threat data.”
However, a coalition of 19Â civil liberties groups, in a letter to President Obama and congressional leaders Wednesday, said they fear that negotiators from the House and Senate intelligence committeesÂ are stripping out privacy protections that were in theÂ House Homeland Security Committee version of the bill.
Specifically, coalition members worry that the final bill will be stripped of the requirement that any cyber threat information from the private sector be sent toÂ the Department of Homeland Security, a civilian agency that has stricter privacy regulations than the Pentagon’s National Security Agency. The NSAÂ has generated controversyÂ for its mass surveillance of Americans’ phone data.
The Homeland Security Committee’s bill also hasÂ more robust requirements for removing consumers’ personally identifiable information before companies share their data with the government or before DHS shares it with other federal agencies, said Evan Greer of Fight for the Future.
“Let me be clear that we do not support any of the three bills and believe that cybersecurity legislation could actuallyÂ make us more vulnerable to cyberÂ attacks by housing more personal information with government agencies that aren’t good at protecting it,” Greer said. “But, of the three bills, the House Homeland Security Committee’s bill hadÂ the strongest privacy protections and was sort of the least terrible.”
House Homeland Security Chairman Michael McCaul said Wednesday that he also is concerned that the privacy protections in the bill passed by his committee will be weakened. He said he would prefer to wait and have a formalÂ conference committee made up of House members and senators negotiate a final bill rather than relying on staff talks to try to speedÂ legislation through Congress in the next few days.
“We want DHS to be the lead civilian agencyÂ â€” not the FBI, who can prosecute you; not the NSA, who can spy on you,” McCaul, R-Texas,Â said at a newsmaker breakfast hosted by the Christian Science Monitor
McCaul said he has warned Republican House leaders that they could lose votes on the 2016Â government spending bill if they try to tack on cybersecurity legislation that does not include strong privacy protections.
“We have to be very careful about how we negotiate this,” he said.
Rep. Adam Schiff of California, the senior Democrat on the House Intelligence Committee, said negotiators “are very close” to reaching an agreement on a compromise bill. He said he hopes Congress will pass the legislationÂ before it adjourns for the year because “we cannot afford to wait any longer.”
“We hope to unveil the finished product as soon as possible,” Schiff said Wednesday. “We feel a great urgency to pass an information-sharing bill because of the grave threats to our public and private networks. For me, a chief concern in any info-sharing bill has been maximizing privacy protections, and I believe that this forthcoming legislation will have the strongest privacy safeguards of any cyber bill to date.”