President Obama will continue to apply his influence (and pen) to jump-start the legislative process on key issues, this time by proposing a pair of laws aimed at creating federal data breach legislation as well as protecting the privacy of student data.
Speaking at the Federal Trade Commission (FTC) Monday, the President said he would call for a Personal Data Notification and Protection Act and a Student Data Privacy Act during his State of the Union address on Jan. 20. The former would clarify and strengthen “the obligations companies have to notify customers when their personal information has been exposed.” A key part of that law would be “a 30-day notification requirement from the discovery of a breach.
The Student Digital Privacy Act, “modeled on a landmark California statute, builds on the recommendations of the White House Big Data and Privacy review released earlier this year, would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school,” the White House release said. But it would not stand in the way of “important research initiatives to improve student learning outcomes, and efforts by companies to continuously improve the effectiveness of their learning technology products.”
Saying that Americans “shouldn't have to forfeit our basic privacy when we go online to do our business,” Obama said in advance of his address next week that the “sphere of privacy around” each of us “should not be breached” by government or commercial interests. “As we've all been reminded over the past year, including the hack of Sony, this extraordinary interconnection creates enormous opportunities, but also creates enormous vulnerabilities for us as a nation and for our economy, and for individual families,” Obama told the commission.
American business has been hit by numerous high-profile breaches in the last couple of years and many companies have come under fire for how they've handled not only resolution of the incidents but notification as well.
Congress has kicked around a number of legislative initiatives intended to create a national data breach notification law over the last few years but those bills have languished, typically in committee, with legislators struggling to even define a data breach.
Organizations must currently must adhere to the regulatory requirements imposed by state data breach laws, which, to date, number 47. If the national law is enacted, companies will benefit from “the certainty of a single, national standard,” the White House said. “The proposal also criminalizes illicit overseas trade in identities.”
Obama's speech drew cautious praise from industry and privacy advocates. “For too long, it has been America's companies taking the lead in protecting the privacy of consumers without clear or consistent guidance from government,” Nuala O'Connor, President and CEO at the Center for Democracy and Technology, said in a prepared statement sent to SCMagazine.com. “It's time we have comprehensive privacy legislation to help build consumer trust, promote technological innovation, and create a digital framework that respects the right to privacy in our daily lives.”
Noting that banks “invest hundreds of millions of dollars every year to put in place multiple layers of security,” American Bankers Association President and CEO Frank Keating, in a statement sent to SCMagazine.com, said the banking industry “shares the president's commitment to protecting the security and privacy of Americans' personal information, and we appreciate the White House's engagement on this critical issue.”
Ken Westin, senior security analyst with Tripwire, hailed the President's efforts in comments sent to SCMagazine.com, saying that “although many states already have laws in place regarding breach notification, with federal legislation it will remove any doubt with regards to the notification periods.”
He added in an email correspondence with SCMagazine.com that there are some issues that must be addressed before a law is enacted.
Citing trust and privacy challenges of private industry collaborating with law enforcement, Westin pointed out, “When a breach has occurred companies may think twice before contacting law enforcement when there is a compromise, at least delaying their response to law enforcement due to the new notification requirements. If they reach out to law enforcement for assistance in investigating a breach, would the ‘30 day shot clock' for breach notification kick in at that point? Would there be a line of communication with law enforcement where information can be exchanged in confidence?”
Companies may have good reason not to notify within 30 days. “These are all items I believe that will need to be hashed out before this is rolled out,” he said.
While the White House usually tries “to hold all the news until the day of the speech,” according to a blog penned by Assistant to the President and Senior Advisor Dan Pfeiffer, Obama has broken precedent by revealing a number of “SOTU Spoilers” as he travels around the country. His remarks Monday at the FTC reflect the White House's growing concern with cybersecurity and hinted at the steps he believes government should take to better protect Americans' private data. In addition to the two pieces of legislation, Obama proposed efforts to identify and prevent identity theft and for the private sector to develop tools to protect student privacy.
Obama also praised the FTC, noting that he “wanted to start here, at the FTC, because every day you take the lead in making sure that Americans, their hard-earned money and their privacy are protected, especially when they go online” and acknowledging “that's pretty much for everything: managing our bank accounts, paying our bills, handling everything from medical records to movie tickets, controlling our homes -- smart houses, from smart phones.” The FTC has aggressively held companies to high standard and pursued those that it believes puts privacy at risk.