10.21.15

Statement of Senator Patrick Leahy (D-Vt.), Ranking Member, Senate Judiciary Committee, Regarding the Cybersecurity Information Sharing Act of 2015 October 21, 2015

It seems as though every week, the American people learn of yet another data breach in which Americans’ sensitive, private information has been stolen by cybercriminals or foreign governments.  This is a critical national security problem that deserves action by Congress.  But our actions must be thoughtful and responsible, and we must recognize that strengthening our Nation’s cybersecurity is a complex endeavor with no single solution.

According to security researchers and technologists, the most effective action Congress can take to improve our cybersecurity is to require better and more comprehensive data security practices.  That is why earlier this year, I introduced the Consumer Privacy Protection Act.  That bill requires companies to utilize strong data security measures to protect our personal information and to help prevent breaches in the first place.  Companies that benefit financially from gathering and analyzing our personal information should be obligated to take meaningful steps to keep it safe. 

But rather than taking a comprehensive approach that addresses the multiple facets of cybersecurity, the Republican Majority appears to be focused entirely on passing the Senate Intelligence Committee’s cybersecurity information sharing bill.  While legislation to promote the sharing of cyber threat information could, if done right, be useful in improving our cybersecurity, it is a serious mistake to believe that information sharing alone is the solution.  Information sharing alone would not, for example, have prevented the breach at the Office of Personnel Management, nor would it have prevented other major breaches, such as those at Target, Home Depot, Anthem, or Sony. 

Instead of ensuring that companies better safeguard Americans’ data, this bill goes in the opposite direction, giving large corporations more liability protection and even more leeway on how to use and share our personal information with the government – without adequate privacy protections. 

Also troubling is the fact that the Republican Majority has been intent on jamming this bill through the Senate without any regard for regular process or opportunity for meaningful public debate.  Only last year, the Republican Leader declared his commitment to “a more robust committee process” and plainly stated that “bills should go through committee.”  But the bill was drafted behind closed doors by the Senate Intelligence Committee, and it has not been the subject of any open hearings or any meaningful public debate.  The text of the bill was only made public after it was reported to the Senate floor, and no other committee of jurisdiction – including the Judiciary Committee – was allowed to consider and improve the bill.

The Judiciary Committee was prevented from considering this bill even though it contains numerous provisions that affect matters squarely within our jurisdiction.  First and foremost, the bill creates a framework of information sharing that could severely undermine Americans’ privacy.   The bill also overrides all existing law to provide broad liability protections for any company that shares information with the government.  It also overrides important privacy laws such as the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA), over which the Judiciary Committee has long exercised jurisdiction.  CISA even amends the Freedom of Information Act (FOIA) and creates new exemptions from disclosure. 

This is just the latest attempt by the Majority Leader to bypass the Judiciary Committee and jam a bill through the Senate that contains provisions within the jurisdiction of the Committee.  The bill reported by the Senate Intelligence Committee includes a broad and unnecessary FOIA exemption.   FOIA falls under the exclusive jurisdiction of the Senate Judiciary Committee and changes affecting this law should not be enacted without full and careful consideration by the Judiciary Committee.  This important transparency law certainly should not be amended in closed session by the Senate Intelligence Committee. 

Shortly after the text of the bill was released, I shared with Chairman Grassley my concern that the Judiciary Committee should also consider this bill.  He assured me that there would be a “robust and open amendment process” if this bill were considered on the Senate floor.  But only a few weeks later, the Republican leadership – with Chairman Grassley’s support – attempted to jam the Intelligence Committee’s bill through the Senate as an amendment to the National Defense Authorization Act (NDAA) without any opportunity for meaningful debate.  Republicans and Democrats joined together to reject the Majority Leader’s effort to force the cybersecurity bill onto the NDAA.  Despite this rebuke from both sides of the aisle, just a few weeks later, the Majority Leader again attempted to jam the bill through the Senate in the final days before August recess, without any serious opportunity to debate and offer amendments.   

The Majority Leader’s actions have been part of a consistent disregard for regular order.  He has talked about providing an opportunity for fair debate, but at the same time he has used all procedural mechanisms to stifle process on this bill.  Yesterday afternoon, the Senate moved to consideration of this bill – but then not even two hours later, the Majority Leader moved to end debate.  That speaks volumes about whether the Majority Leader is really interested in a full and open debate, and it is not how the United States Senate should operate – particularly when it comes to a bill with such sweeping ramifications for Americans’ privacy.

Senator Feinstein, the ranking member of the Intelligence Committee, has consistently said that the Senate “should have an opportunity to fully consider the bill and to receive the input of other committees with jurisdiction in this area.”  She has worked hard to improve the underlying bill with a Managers’ amendment that addresses a number of my concerns, particularly in regards to FOIA, limiting the sharing of information for cybersecurity purposes only, and ensuring that the bill would not allow the government to use information to investigate crimes completely unrelated to cybersecurity.  I appreciate these improvements, and Senator Feinstein’s efforts to include them in the bill.  But again, this bill still has some serious problems and requires a full, public debate.  The bill still includes, for example, a FOIA exemption that I believe is overly broad and unnecessary. 

In July, the Department of Homeland Security wrote a letter to Senator Franken stating that in their view the bill raises significant operational concerns and certain provisions threaten to severely undermine Americans’ privacy.  Last week, the Computer & Communications Industry Association – an organization that includes Google, Facebook, and Yahoo! – voiced serious concerns that the bill fails to protect users’ privacy and could “cause collateral harm” to “innocent third parties.”  And this week, major tech companies such as Apple, Dropbox, Twitter, and Yelp have vocally opposed the bill citing concerns for their users’ privacy.

The latest version of the bill contains a number of improvements that I and other Senators have been fighting for, and I am glad to see that we are making progress.  But we still have work to do on this bill, and the Senate must have an open and honest debate about the Senate Intelligence Committee’s bill and its implications for Americans’ privacy.  I agree that we must do more to protect our cybersecurity, but we must be responsible in our actions.  Legislation of this importance should not be hastily pushed through the Senate, without a full and fair opportunity for Senators to consider the ramifications of this bill.  Unfortunately, by moving so quickly to end debate, it appears that the Majority Leader is trying to do just that.  

# # # # #

Press Contact

Press Contact
David Carle: 202-224-3693