HITRUST Praises House Efforts on Cybersecurity Measures
April 23, 2015 in News
On Thursday, the Health Information Trust Alliance in a release praised the House’s passage of a cybersecurity bill (HR 1560) and a forthcoming vote on a counterpart bill (HR 1731), Politico‘s “Morning eHealth” reports (Gold et al., “Morning eHealth,” Politico, 4/23).
Cybersecurity has received attention following recent major cyberattacks, including a breach at Anthem that exposed records of about 80 million people and a recent attack on Sony Pictures Entertainment that involved some health information.
HR 1560 Details
The House voted 307 to 116 to pass the measure, which aims to encourage companies to allow federal cybercrime investigators access to their computer networks and records.
Under the bill, companies would receive legal liability protections if they share cyberthreat information with each other or the government. Companies that share data with the government would receive protections after the data have been washed twice for personal information (Steinhauer, New York Times, 4/22). First, the data would be scrubbed by a civilian agency — rather than the Department of Defense or the National Security Agency (Kelly, USA Today, 4/22). After the data have been scrubbed by a civilian agency, it would be scrubbed by the governmental entity that receives it.
The Obama administration has supported the bill but warned that the liability protections could be too wide-ranging and backfire by stopping companies from reporting cyberthreats (New York Times, 4/22).
HR 1731 Bill Details
On Thursday, the House is expected to take up the National Cybersecurity Protection Advancement Act, which would require private-sector companies to send their information first to the Department of Homeland Security. The House Homeland Security Committee last week approved the measure.
According to USA Today, lawmakers plan to combine the bills and work with the Senate — which has crafted its own cybersecurity-information sharing bill (S 754) — to create a compromise bill. The final bill would by subject to approval in both chambers (USA Today, 4/22).
HITRUST CEO Dan Nutkis applauded the measures. He said, “These bills effectively do two things. First, they formalize the process for information sharing and encourage private entities to share amongst themselves and with the government. And second, they provide legal certainty that companies sharing that information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time and taking actions to mitigate cyberattacks” (“Morning eHealth,” Politico, 4/23).
Breach Notification Bill
Meanwhile, a separate bill (HR 1770) that would create a national data breach policy has received criticism from some who see the policy as looser than existing state regulations, the Los Angeles Times reports.
The bill — written by Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) — aims to “replace the current patchwork of laws with a single, national standard for protection and notification.” Some have raised concerns that the federal law would pre-empt existing state laws that are stronger and more comprehensive.
For example, under current California law, Anthem had to disclose its breach because California’s law requires notification when a resident’s personal information is “acquired, or reasonably believed to have been acquired, by an unauthorized person.” The federal bill would require notification if the company finds “a reasonable risk” of “identity theft, economic loss or economic harm.” The bill does not define reasonable risk, and it could be up to the company to determine reasonable risk on their own, the Los Angeles Times reports (Lazarus, Los Angeles Times, 4/21).