H.R. 1731 would largely codify the role of the National Cybersecurity and Communications Integration Center of the Department of Homeland Security in exchanging information about cyber threats with other federal agencies and nonfederal entities. The legislation also would require that certain additional procedures be followed when that information is shared, such as checking for and expunging personal information. Finally, the bill would require several reports to the Congress on cybersecurity information sharing. CBO anticipates that approximately 20 additional personnel would be needed to administer the new aspects of the program, prepare the required reports, and manage the exchange of information. Based on information from the Department of Homeland Security, the Office of Management and Budget, and other cybersecurity experts, CBO estimates that the requirements imposed by H.R. 1731 would cost approximately $20 million over the 2016-2020 period, assuming appropriation of the estimated amounts.
H.R. 1731 would make the government liable if an agency or department violates privacy and civil liberty guidelines and restrictions on the use of information required by the bill. While such liability could result in additional direct spending, CBO does not have sufficient basis to estimate the type or frequency of violations or the budgetary effect that might occur if the legislation was enacted. Because the bill could affect direct spending, pay-as-you-go procedures apply. H.R. 1731 would not affect revenues.
H.R. 1731 would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), by extending civil and criminal liability protection to cybersecurity providers and other entities that monitor, share, or use information on cyber threats. Doing so would prevent public and private entities from seeking compensation for damages from those protected entities for sharing or using cybersecurity information. The bill also would impose additional intergovernmental mandates on state and local governments by preempting disclosure and liability laws and by preempting any laws that restrict the cybersecurity monitoring, sharing, and countermeasure activities authorized by the bill. Because of uncertainty about the number of cases that would be limited and any foregone compensation that would result from compensatory damages that might otherwise go to private-sector entities, CBO cannot determine whether the costs of the mandate would exceed the annual thresholds