9–8–8 Lifeline Cybersecurity Responsibility Act
- Bill Number
- H.R. 912
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Health
- Status
- Introduced
- Latest Action
- 2025-02-04: Referred to the House Committee on Energy and Commerce.
- Last Updated
- 2026-06-23T20:14:54Z
AI-Generated Summary
Purpose
The "9-8-8 Lifeline Cybersecurity Responsibility Act" aims to protect the National Suicide Prevention Lifeline (accessible by calling or texting 988) from cybersecurity threats. It strengthens security measures and reporting requirements to ensure the hotline remains reliable for individuals in crisis, while maintaining privacy protections.
Key Provisions
- Enhanced Security Responsibilities: The bill amends the Public Health Service Act to require the suicide prevention program to implement necessary steps to safeguard the hotline from cybersecurity incidents (such as hacks or data breaches) and address known vulnerabilities (weak points in systems that could be exploited).
- Reporting Requirements:
- The program's network administrator (the main entity managing the hotline with federal funding) must report identified cybersecurity vulnerabilities or incidents to the Assistant Secretary for Mental Health and Substance Use (within the Department of Health and Human Services, or HHS) in a timely manner, while protecting personal privacy under federal and state laws.
- Local and regional crisis centers participating in the program must report such issues to the network administrator, following the same privacy standards.
- The network administrator must then notify the Assistant Secretary of any vulnerabilities or incidents it discovers or learns about from crisis centers.
- Oversight and Clarifications:
- Crisis centers are generally responsible for overseeing the technology they use for hotline services, but the network administrator may take on this role if specified in their participation agreement.
- These new reporting rules add to (but do not replace) any existing federal cybersecurity reporting laws.
- Independent Study: Within 180 days of enactment, the Comptroller General (head of the Government Accountability Office, an independent agency that audits federal programs) must conduct a study on cybersecurity risks and vulnerabilities in the 988 lifeline and submit a report to relevant congressional committees (Senate Health, Education, Labor, and Pensions Committee; House Energy and Commerce Committee).
Significant Changes to Existing Law
- Adds a new requirement (paragraph 6) to the existing duties of the National Suicide Prevention Lifeline Program under Section 520E-3(b) of the Public Health Service Act, focusing specifically on cybersecurity protections.
- Inserts a new subsection (f) on cybersecurity reporting, which shifts the current subsection (f) to (g), introducing structured notification chains that did not previously exist for this program.
- These changes build on the 988 Suicide and Crisis Lifeline, established by prior laws, by integrating cybersecurity as a core operational element without altering the program's overall structure or funding.
Potential Impacts
- On Government Agencies: HHS will gain oversight responsibilities, potentially increasing administrative workload for monitoring reports and implementing protections. The required study could lead to further federal guidance or funding for cybersecurity in public health services.
- On Citizens: Improves the reliability and security of a critical mental health resource, reducing the risk of disruptions (e.g., service outages from cyberattacks) that could endanger lives. Privacy safeguards ensure sensitive caller information remains protected.
- On International Relations: No direct impacts, as the bill focuses on domestic U.S. public health infrastructure.
Main Stakeholders Affected
- Federal Government: HHS (particularly the Assistant Secretary for Mental Health and Substance Use) and the Government Accountability Office, which must handle reporting and conduct the study.
- Program Operators: The network administrator (currently Vibrant Emotional Health, a nonprofit managing the 988 lifeline) and participating local/regional crisis centers, who face new security and reporting obligations.
- Individuals in Crisis: Callers and texters to 988, who benefit from a more secure service but are indirectly affected through enhanced privacy measures.
- Congressional Committees: The Senate and House committees receiving the study report, which could influence future oversight or legislation.
Notable Legal, Constitutional, or Political Implications
- Legal: Reinforces compliance with existing privacy laws (e.g., HIPAA for health information) by mandating privacy-protected reporting, potentially setting a precedent for cybersecurity in other federally supported hotlines. The "supplement, not supplant" clause avoids conflicts with broader laws like the Cybersecurity Information Sharing Act.
- Constitutional: No apparent issues; the bill aligns with Congress's authority to regulate public health and interstate communications under the Commerce Clause, without infringing on free speech or privacy rights.
- Political: Bipartisan sponsorship (introduced by Rep. Obernolte and Rep. Dingell) highlights mental health as a nonpartisan priority. The study could spark debates on federal funding for cybersecurity in social services, especially amid rising cyber threats to critical infrastructure.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (3)
Rep. Dingell, Debbie [D-MI-6], Rep. Lieu, Ted [D-CA-36], Rep. Vindman, Eugene Simon [D-VA-7]
Recent Actions
- 2025-02-04: Referred to the House Committee on Energy and Commerce.
- 2025-02-04: Introduced in House
- 2025-02-04: Introduced in House
Bill Versions
- 9–8–8 Lifeline Cybersecurity Responsibility Act — issued 2025-02-04 — PDF (5 pages)