House to merge cyberthreat info-sharing bills

The House has passed a second cyberthreat information-sharing bill, the National Cybersecurity Protection Advancement Act, which will be combined with the House Intelligence Committee's Protecting Cyber Networks Act before being sent to the Senate, according to

Both bills provide businesses with liability protections if they share cyberthreat information with the federal government and other businesses.

To address privacy concerns, lawmakers added language to the National Cybersecurity Protection Advancement Act stating that the shared data is to be used for cyberdefense purposes only and cannot be used for intelligence or law enforcement. However, consumer advocacy groups contend the bill does not go far enough to protect data from other uses.

This second bill also names the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

The White House has given only lukewarm endorsement to both bills, saying they're too broad and called for changes, including narrowing of the liability protections.

No date has been set for the Senate to take up the combined bill.

The Health Information Trust Alliance (HITRUST), which has supported President Obama's proposal to increase information-sharing on cyberthreats since he announced it in the State of the Union address, is backing both bills.

"These bills effectively do two things," HITRUST said in a statement. "First, they formalize the process for information sharing and encourage private entities to share amongst themselves and with the government. And second, they provide legal certainty that companies sharing that information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time and taking actions to mitigate cyberattacks."

HITRUST added that both "go far in addressing information sharing priorities and provide clarity for healthcare companies," and said that it "opposes any amendments that would weaken significant provisions in either bill."

Participants in the White House Summit on Cybersecurity and Consumer Protection in February stressed the need to make clear that sharing threat data doesn't have to endanger consumer data.

To learn more:
- read the article
- here's the HITRUST statement