More Senate Dems raise privacy concerns with cybersecurity bill

More Democrats are signaling they will try to amend a major cybersecurity bill when it hits the Senate floor in the coming weeks.

In a Senate Intelligence Committee report released over the weekend, Sens. Martin HeinrichMartin Trevor HeinrichBottom line Senate Democrats demand White House fire controversial head of public lands agency Senate Democrats seek removal of controversial public lands head after nomination withdrawal MORE (D-N.M.) and Mazie HironoMazie Keiko HironoOvernight Defense: Dems want hearing on DOD role on coronavirus vaccine | US and India sign data-sharing pact | American citizen kidnapped in Niger Senate Democrats want hearing on Pentagon vaccine effort FCC reaffirms order rolling back net neutrality regulations MORE (D-Hawaii) said they “continue to harbor concerns” about several privacy provisions in the bill.


The measure, the Cybersecurity Information Sharing Act (CISA), would grant companies liability protections when sharing cyber threat data with the government. It passed out of committee last month by a 14-1 vote.

Sen. Ron WydenRonald (Ron) Lee WydenPlaintiff and defendant from Obergefell v. Hodges unite to oppose Barrett's confirmation Senate Democrats call for ramped up Capitol coronavirus testing House Democrats slam FCC chairman over 'blatant attempt to help' Trump MORE (D-Ore.) — the only dissenting vote in markup — and Sen. Patrick LeahyPatrick Joseph LeahySchumer says he had 'serious talk' with Feinstein, declines to comment on Judiciary role Durbin says he will run for No. 2 spot if Dems win Senate majority Democrats seem unlikely to move against Feinstein MORE (D-Vt.) have expressed serious reservations about the measure, and both have indicated they’ll likely try to enhance it on the floor.

Advocates argue increased threat-sharing creates a better profile of hackers’ tactics, allowing everyone to bolster their defenses. They say companies need liability protections to quell fears of shareholder lawsuits and regulatory action when sharing data with the government.

Privacy groups maintain the bill does not properly restrict the personal information companies could share with government agencies, including ultimately the National Security Agency (NSA).

Heinrich and Hirono echoed those fears in commentary submitted for the report.

“However well intended, the bill’s provisions do not adequately direct companies to remove personally identifiable information when sharing cyber threat indicators with the government,” they said.

Furthermore, they said, “the bill also lacks a directive that the Department of Homeland Security scrub cyber threat indicators for unnecessary personally identifiable information before sharing that information with other areas of the federal government.”

CISA would make the DHS the main entryway for the cyber threat data entering the government.

The move was a concession to privacy advocates who worry about personal data going directly to the NSA.

But privacy groups think that without a proper DHS scrubbing, the sensitive information will still make it to the NSA almost instantaneously.

The bill’s backers disagree. They point to language in the bill that directs both companies and DHS to redact information that is known “at the time of the sharing to be personal information.”

The semantics debate is expected to get settled in the coming weeks, when CISA is expected hit the floor.

“We will look forward to a robust debate on the floor,” the two senators said.