More Senate Dems raise privacy concerns with cybersecurity bill

More Democrats are signaling they will try to amend a major cybersecurity bill when it hits the Senate floor in the coming weeks.

In a Senate Intelligence Committee report released over the weekend, Sens. Martin Heinrich (D-N.M.) and Mazie Hirono (D-Hawaii) said they “continue to harbor concerns” about several privacy provisions in the bill.

{mosads}The measure, the Cybersecurity Information Sharing Act (CISA), would grant companies liability protections when sharing cyber threat data with the government. It passed out of committee last month by a 14-1 vote.

Sen. Ron Wyden (D-Ore.) — the only dissenting vote in markup — and Sen. Patrick Leahy (D-Vt.) have expressed serious reservations about the measure, and both have indicated they’ll likely try to enhance it on the floor.

Advocates argue increased threat-sharing creates a better profile of hackers’ tactics, allowing everyone to bolster their defenses. They say companies need liability protections to quell fears of shareholder lawsuits and regulatory action when sharing data with the government.

Privacy groups maintain the bill does not properly restrict the personal information companies could share with government agencies, including ultimately the National Security Agency (NSA).

Heinrich and Hirono echoed those fears in commentary submitted for the report.

“However well intended, the bill’s provisions do not adequately direct companies to remove personally identifiable information when sharing cyber threat indicators with the government,” they said.

Furthermore, they said, “the bill also lacks a directive that the Department of Homeland Security scrub cyber threat indicators for unnecessary personally identifiable information before sharing that information with other areas of the federal government.”

CISA would make the DHS the main entryway for the cyber threat data entering the government.

The move was a concession to privacy advocates who worry about personal data going directly to the NSA.

But privacy groups think that without a proper DHS scrubbing, the sensitive information will still make it to the NSA almost instantaneously.

The bill’s backers disagree. They point to language in the bill that directs both companies and DHS to redact information that is known “at the time of the sharing to be personal information.”

The semantics debate is expected to get settled in the coming weeks, when CISA is expected hit the floor.

“We will look forward to a robust debate on the floor,” the two senators said.