Congress Includes Measures to Ease Privacy Notice Requirements and Cyberthreat Sharing into Appropriations Bills

Everett Monroe 
Everett Monroe
December 18, 2015

Congress has been busy passing last minute appropriations bills before the year ends to fund the government through the end of the fiscal year and to plan long term infrastructure spending. Congress has added some provisions to those bills that affect federal privacy and cybersecurity laws.

Earlier this month, Congress included an amendment to the Gramm-Leach-Bliley Act in a bill that provides long term funding for infrastructure projects. Part of Gramm-Leach-Bliley requires that financial institutions notify customers of their privacy practices each year. The amendment allows financial institutions to not send out the annual notice if the financial institution’s privacy practices have not changed and the customer cannot opt out of any of the information sharing.

Congress is working on final passage of the budget omnibus bill to keep the government funded through September 2016. After informal negotiations on Tuesday night, House leadership added the Cybersecurity Act of 2015 to the bill. The Act is a modified version of the Cybersecurity Information Sharing Act, different versions of which have passed the House and Senate over the course of the year. The Act grants companies liability protections for sharing cyberthreat indicators and defensive measures with the government through the Department of Homeland Security. Companies will also receive protection from antitrust laws for sharing the same information with other companies. New to this version, the bill also gives the President authority to establish additional protected pathways through other federal agencies. Congress is expected to pass the bill, including the Cybersecurity Act, before the end of next week.

A number of privacy and data security bills are awaiting Congress’ return next year. The Email Privacy Act, a bill to expand privacy protections to stored emails, now has over 300 co-sponsors in the House, and there has been renewed interest in creating a uniform data breach notification standard after an earlier House effort stalled in committee. Hanson Bridgett’s Privacy, Data Security, and Information Governance Practice group will continue to monitor upcoming legislation, and will keep you informed as matters develop.