Providing limited liability protection to private companies could be a sticking point for lawmakers working to pass cybersecurity legislation.
Rep. John Tierney, D-Mass., ranking member of the national security, homeland defense and foreign operations questioned whether companies that adhere to federal cybersecurity policies should not be held liable for the impact of a breach.
Tierney also raised concerns that government agencies like the Department of Homeland Security are conducting risk assessments for companies that should be responsible for doing them.
“I don’t know why we have to give you incentives,” said Tierney, in response to TechAmerica President Phil Bond’s remarks about providing incentives for businesses that adhere to government standards. “I don’t understand the shifting of responsibility and obligation.”
In contrast, Sen. Susan Collins, R-Maine, suggested the White House add such protections in its cybersecurity legislation proposal. At a Senate committee hearing Tuesday, Collins referenced legislation she co-authored that would provide companies limited protection for taking preventative measures.
Sen. Joe Lieberman, I-Conn., said the issue of liability protection could be a “real obstacle” to passage of cybersecurity legislation.