But civil-liberties groups warn the latest version of the measure has been stripped of some of the most significant privacy protections, transforming it into a surveillance bill.
“Instead of passing reforms that would have stopped the Anthem or [Office of Personnel Management] hack, Congress has chosen to advance legislation that places the privacy of Americans in further peril,” Neema Singh Guliani, a legislative counsel for the American Civil Liberties Union, said in a statement. “It would wrongly allow companies to share larger amounts of consumer information with government agencies, potentially including the NSA. This information could be used for criminal prosecutions unrelated to cybersecurity.”
She urged companies not to participate in the voluntary information-sharing program if the bill becomes law.
Rep. Adam Schiff, the top Democrat on the House Intelligence Committee, argued that the legislation has strong privacy protections. It would establish the Homeland Security Department, a civilian agency, as the main portal for receiving private sector cybersecurity information and would direct companies to strip out personal information unrelated to a cyber threat.
“Ultimately, there is no greater guarantor of Americans’ privacy than America’s cybersecurity,” Schiff wrote in a letter to other lawmakers urging them to back the bill. “The Cybersecurity Act of 2015 will help make our networks safer and our privacy secure.”
Although the bill would bar the NSA from directly receiving the data from the private sector, it would instruct the Homeland Security Department to share the information it receives with other “relevant federal entities,” which privacy advocates note could include the NSA or FBI. Lawmakers removed previous language that would have required that the government only use the data for “cybersecurity purposes," which has privacy advocates worried that the data could find its way into criminal prosecutions. And they argue that the legislation doesn't impose a strong enough requirement on companies to remove personal information from the data they give to the government.
“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even-worse bill today. Americans deserve policies that protect both their security and their liberty,” Sen. Ron Wyden, an Oregon Democrat and outspoken privacy supporter, said in a statement. “This bill fails on both counts.”
The legislation could receive votes in the House and Senate as early as Friday.
Both chambers have already approved varying versions of the cybersecurity bill earlier this year. The White House had threatened to veto similar bills in 2012 and 2013, saying they lacked adequate privacy safeguards. But President Obama is expected to sign the legislation this time as part of the omnibus spending package if it reaches his desk.