A coalition of free-market groups issued an open letter to Members of Congress, urging them to consider amendments to the National Cybersecurity Protection Advancement Act (NCPAA) of 2015. That bill is intended to increase cyber security by facilitating greater sharing of cyber threat indicators (CTIs) by private companies with each other and with government, and by government with private companies that may face attack. But it also raises real privacy concerns because CTIs could include private information like email content or Internet usage history.
The letter proposes eight amendments:
- Include a 3-year sunset — or, failing that, a 5-year sunset, a proposal that was defeated in markup before the House Committee on Homeland Security Committee
- Improve reporting requirements so that, as Congress considers re-authorizing the bill, it has an accurate sense of how often private data are shared under the bill as cyber threat indicators (CTIs),
- Enhance agency accountability by ensuring that, if government agencies willfully disregard the bill’s privacy safeguards, injured parties have legal recourse;
- Suppress evidence unlawfully obtained as CTIs from use in criminal cases,
- Preserve common law remedies beyond enforcement of contracts and terms of service by which companies promise not to share personal information,
- Bar any regulatory coercion of information-sharing, whether through formal rulemaking or other means;
- More thoroughly bar use of CTIs “for regulatory purposes” by clarifying that this includes enforcement action and merger review as well as traditional rulemaking; and
- Clarify language authorizing defensive measures to ensure that the bill does not authorize and encourage collection of private information from innocent third parties whose systems might be used in botnet attacks.