As ordered reported by the House Permanent Select Committee on Intelligence on April 10, 2013
H.R. 624 would amend the National Security Act of 1947 to require the Director of National Intelligence (DNI) to establish procedures to promote the sharing of information about cyber threats between intelligence agencies and the private sector. The DNI also would be directed to establish guidelines for granting security clearances to employees of the private-sector entities with which the government shares such information. CBO estimates that implementing the bill would have a discretionary cost of $20 million over the 2014-2018 period, assuming appropriation of the necessary amounts. Enacting H.R. 624 could affect direct spending or revenues; therefore, pay-as-you-go procedures apply. However, CBO estimates that those effects would be insignificant for each year.
CBO anticipates additional personnel would be needed to administer the program and to manage the exchange of information between intelligence agencies and the private sector. Based on information from the DNI and the Office of Personnel Management, CBO estimates that those activities would cost approximately $4 million annually over the 2014-2018 period, assuming appropriation of the necessary amounts.
H.R. 624 would allow for a person to collect damages and attorney’s fees if the federal government intentionally or willfully violated the conditions in the bill regarding the handling and use of information shared with the government and that person was harmed by such actions. Because any costs borne by the government for those cases would probably be paid from the Treasury’s Judgment Fund (a permanent, indefinite appropriation for claims and judgments against the United States), the bill could affect direct spending. However, CBO anticipates that any such cases would be rare and that the impact on direct spending would be insignificant in every year.
The bill would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), by extending civil and criminal liability protection to entities and cybersecurity providers that share or use cyber threat information. The bill also would impose additional intergovernmental mandates on state governments by preempting state disclosure and liability laws. Because of uncertainty about the number of cases that would be limited and any forgone compensation that would result from compensatory damages, CBO cannot determine whether the costs of the mandate would exceed the annual threshold established in UMRA for private-sector mandates ($150 million in 2013, adjusted annually for inflation). However, CBO estimates that the aggregate costs of the mandates on public entities would fall below the threshold for intergovernmental mandates ($75 million in 2013, adjusted annually for inflation).