On December 18, the President signed into law H.R. 2029, the Consolidated Appropriations Act Of 2016, (the “Act”), the 887 page bill which avoided a closure of federal government functions. Beyond the massive funding of the federal budget, the legislation contains a few surprises.
First, and foremost, is the suspension or postponement of the implementation of funding sources for the Affordable Care Act (the “ACA”, colloquially, “Obamacare”). Division P of the Act’s “Tax Related Provisions” postpones the imposition of the so-called “Cadillac tax”, the tax on “high-cost” health insurance plans; suspends for two years, until 2019, the 2.3 percent excise tax on medical devices that started in 2013; and places a moratorium on health insurer fees. The Act also removes the “health insurer fees” from the “non-deductible tax” list within the Internal Revenue Code. All of the foregoing were to contribute a significant source of revenue toward funding the ACA. (The “Cadillac tax” is assessed on health-insurance premiums over the limit of $10,200 for individuals or $27,500 for families.) In the case of the moratorium on health insurer fees, however, the popular consensus is that the fee is basically passed on to subscribers so that the impact on funding the ACA is negligible.
Secondly, Division N of the Act contains the controversial “Cybersecurity Act of 2015” (“CSA”). The CSA requires the Director of National Intelligence and the Departments of Homeland Security (DHS), Defense, and Justice to develop procedures to share cybersecurity threat information with private entities, nonfederal government agencies, state, tribal, and local governments, the public, and entities under “threats”. It provides that private entities may monitor and operate “defensive measures” on: (1) their own information systems; and (2) with written consent, the information systems of other private or government entities. Liability protections are provided to entities that voluntarily share and receive “cyber threat indicators and defensive measures” with other entities or the government as those are defined in the CSA. The CSA, particularly in its earlier Congressional iterations, was opposed by privacy advocates and those in the tech industry as intrusive, the belief being that private information would wind up in the hands of the government in spite of laws that limit private information’s dissemination. Lawmakers contended the CSA was important to prevent data breaches such as those that have taken place in the recent past.