From CyberScoop:

“Expanding access to data is a challenge,” said Brandon Pugh, cybersecurity and emerging threats policy counsel at the R Street Institute. “And the reason it’s a challenge is that the person accessing it may not have sufficient safeguards in place. Perhaps they’ve already been compromised, unknowingly.”

“It’s hard to discuss data access and regulating data without a bill that specifically addresses those points,” said Pugh, who co-wrote a critique of the legislation offering a number of suggestions to amend it to prevent potential cybersecurity issues. Pugh joined in a similar critique of antitrust bills introduced by the House this summer.

As written, there is a provision in the bill that exempts actions taken to “protect safety, user privacy, the security of non-public data, or the security of the covered platform” from being deemed unlawful conduct. If a tech company is sued for violating the law that the legislation would establish, the onus to prove it had acted in the interest of user security is on the tech company, however.

The current exemption for privacy and security “puts covered platforms on the defense,” said Pugh. “I think it’s going to do one of two things: It’s either going to force companies not to take proactive measures in the first place in terms of including security, which is probably the more likely outcome, or you’re going to see less compliance with the law.”

The marked-up version of the bill takes steps to address some of the criticisms. For instance, an amended version of the bill clarifies that it does not apply to data transfers to the People’s Republic of China or governments or companies controlled by other adversaries.