President Obama will continue to apply his influence (and pen) to jump-start the legislative process on key issues, this time by proposing a pair of laws aimed at creating federal data breach legislation as well as protecting the privacy of student data.
Speaking at the Federal Trade Commission (FTC) Monday, the President said he would call for a Personal Data Notification and Protection Act and a Student Data Privacy Act during his State of the Union address on Jan. 20. The former would clarify and strengthen “the obligations companies have to notify customers when their personal information has been exposed.” A key part of that law would be “a 30-day notification requirement from the discovery of a breach.
The Student Digital Privacy Act, “modeled on a landmark California statute, builds on the recommendations of the White House Big Data and Privacy review released earlier this year, would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school,” the White House release said. But it would not stand in the way of “important research initiatives to improve student learning outcomes, and efforts by companies to continuously improve the effectiveness of their learning technology products.”
Saying that Americans “shouldn't have to forfeit our basic privacy when we go online to do our business,” Obama said in advance of his address next week that the “sphere of privacy around” each of us “should not be breached” by government or commercial interests. “As we've all been reminded over the past year, including the hack of Sony, this extraordinary interconnection creates enormous opportunities, but also creates enormous vulnerabilities for us as a nation and for our economy, and for individual families,” Obama told the commission.
American business has been hit by numerous high-profile breaches in the last couple of years and many companies have come under fire for how they've handled not only resolution of the incidents but notification as well.
Congress has kicked around a number of legislative initiatives intended to create a national data breach notification law over the last few years but those bills have languished, typically in committee, with legislators struggling to even define a data breach.
Organizations must currently must adhere to the regulatory requirements imposed by state data breach laws, which, to date, number 47. If the national law is enacted, companies will benefit from “the certainty of a single, national standard,” the White House said. “The proposal also criminalizes illicit overseas trade in identities.”
Obama's speech drew cautious praise from industry and privacy advocates. “For too long, it has been America's companies taking the lead in protecting the privacy of consumers without clear or consistent guidance from government,” Nuala O'Connor, President and CEO at the Center for Democracy and Technology, said in a prepared statement sent to SCMagazine.com. “It's time we have comprehensive privacy legislation to help build consumer trust, promote technological innovation, and create a digital framework that respects the right to privacy in our daily lives.”