The provision is supported by privacy advocates for its encouragement of transparency, but opposed by businesses who are looking for the widest liability protections possible.
"If liability protection is removed or thrown into question, businesses will say, 'We just don't have a good bill here. It doesn't do any good for me when I'm battling—let's face it—the Chinese, North Koreans, the Iranians, the Russians, or cybercriminals,'" Eggers said.
9. Implements a six-year sunset
One proposal from Flake and Franken would set a six-year timer after which the bill would sunset. Congress would at that point have to reauthorize the bill and would have a chance to tweak it.
10. Requires government to notify individuals about improper sharing
A second amendment from Wyden would require the government to notify individuals whose personal information was improperly shared or revealed.
11. Removes FOIA exemption
A change proposed by Leahy would remove a part of the bill that exempts information shared through the program from Freedom of Information Act requests (but privacy advocates say most of the information would already be covered under standing exemptions).
12 and 13. Commission government cyber reports
Two proposals, one from Sen. Jon Tester and another from Sen. Dan Coats, would commission government reports on cybersecurity.
Tester's amendment would require the government to report the number of threat indicators and defensive measures shared, the number of times personal information was removed, the number of times personal information was not removed but should have been, and the number of times the government used cyberthreat information to prosecute offenses not related to cybersecurity.
The amendment from Coats would commission a report on cybersecurity threats to mobile devices.
14. Multiple privacy, operations, and oversight changes
A set of changes put forward by the co-sponsors of CISA, Sens. Dianne Feinstein and Richard Burr, makes basic changes that have the support of all sides. The manager's amendment includes changes to what can be shared, how shared information can be used, how companies would be allowed to defend themselves against cyberthreats, and it would further curb exemptions from FOIA requests.
The changes from Feinstein and Burr put to rest some of the issues the privacy community was most worried about by allowing information sharing only for cybersecurity purposes and removing an authorization that would have allowed law enforcement to use cyberthreat information to pursue violent felons.
15. Increases punishments for cybercrimes
An amendment from Sen. Sheldon Whitehouse has raised alarm from privacy advocates for expanding penalties for violating the Computer Fraud and Abuse Act. That law, which makes accessing protected computers and networks illegal, has long come under fire for punishing low-level computer crimes and for discouraging legitimate security research.