Obama Seeks to Nationalize Breach NotificationPresident Also Outlines Steps to Assist Identity Theft Victims
(This story has been updated with remarks from President Obama.)
President Obama is proposing a national data breach notification law that would require businesses to notify consumers within 30 days of a breach.
The Personal Data Notification and Protection Act, if enacted, would supersede nearly four dozen state statutes that regulate data breach notification. The bill is one of a series of measures Obama proposed in a speech delivered Jan. 12 at the Federal Trade Commission. He contends the proposal is aimed at protecting American companies, consumers and infrastructure from cyberthreats while safeguarding privacy and civil liberties.
"We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government [or] by commercial interests," Obama said. "And since we're pioneers in both these areas, I'm confident that we can be pioneers in crafting the kind of architecture that will allow us to ... grow, innovate and preserve those values that are so precious to us as Americans."
Obama also outlined new steps by the government to assist victims of identity theft, including supporting the Federal Trade Commission in its development of a new one-stop resource for victims at IdentityTheft.gov and expanding information sharing to ensure federal investigators' ability to regularly report evidence of stolen financial and other information to companies whose customers are directly affected.
The president's proposals come as the cyber-attack on Sony Pictures Entertainment still reverberates and the impact of breaches on Target, Home Depot and a number of other businesses and banks continue to be felt.
Bringing Peace of Mind
According to a White House fact sheet, the president proposes the national data breach notification law should "bring peace of mind to the tens of millions of Americans whose personal and financial information has been compromised in a data breach."
The Personal Data Notification and Protection Act would clarify and strengthen the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement after the discovery of a breach, while providing companies with the certainty of a single, national standard. The proposal also would criminalize illicit overseas trade in identities.
"America's personal information, including financial information, gets stolen," Obama said. "And the problem is growing, and it costs us billions of dollars. In one survey, nine out of 10 Americans say they feel like they've lost control of their personal information. In recent breaches, more than 100 million Americans have had their personal data compromised, like credit card information. When these cybercriminals start racking up charges on your card, it can destroy your credit rating. It can turn your life upside down. It may take you months to get your finances back in order. So this is a direct threat to the economic security of American families and we've got to stop it."
This isn't the first time Obama has proposed a national breach notification bill. In 2011, as part of a comprehensive cybersecurity legislative agenda, the president offered a similar bill that would have required businesses to notify consumers in 60 days, not 30 days as in the new measure (see Obama Offers Breach Notification Bill). Over the years, lawmakers have proposed a national requirement for data breach notification, but none of the bills ever came up for a vote by either the House or the Senate.
The HIPAA breach notification rule already requires notification within 60 days for health data breaches affecting 500 or more individuals.
Challenges of Nationalizing Breach Notification
The idea of a national data breach notification requirement is appealing to businesses because it would enable them to follow one law rather than 47 different ones. However, the challenge in getting such a law enacted is building a consensus on the provisions in the bill, such as how promptly a business would have to notify consumers of a breach and what types of breaches would warrant notification. Businesses, generally, seek less onerous provisions than those sought by privacy groups.
"Although many states already have laws in place regarding breach notification, with federal legislation it will remove any doubt with regards to the notification periods," says Ken Westin, senior security analyst with Tripwire, a provider of information security and compliance automation products. "Particularly with the number of high-profile breaches over the past year, many companies are reticent to notify consumers when credit card and other data are compromised, simply because of the effect it can have on the business, from loss of trust, lawsuits, fines and fees and other related expenses to clean up the mess after a breach occurs."
In the FTC speech, Obama also disclosed that JPMorganChase, Bank of America, USAA and State Employees' Credit Union - in partnership with Fair Isaac Corp., known as FICO - will join the growing list of firms making credit scores available for free to their consumer card customers. In addition, Ally Financial is making credit scores available to its auto loan customers.
"This means that a majority of American adults will have free access to their credit score, which is like an early warning system telling you that you've been hit by fraud so you can deal with it fast," Obama said.
Safeguarding Student Data
The president's measures also are aimed at safeguarding student data in the classrooms. Obama is proposing a new law, the Student Digital Privacy Act, which would ensure data collected in the educational context is used only for educational purposes. The White House says this bill would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school.
"We're saying that data collected on students in the classroom should only be used for educational purposes - to teach our children, not to market to our children," he said. "We want to prevent companies from selling student data to third parties for purposes other than education. We want to prevent any kind of profiling that puts certain students at a disadvantage as they go through school."
As the president delivered his remarks, the Department of Energy and the Federal Smart Grid Task Force released a new voluntary code of conduct for utilities and third parties aimed at protecting electricity customer data, including energy usage information. The White House says the voluntary code reflects a year of expert and public consultation, including advice from industry stakeholders, privacy experts and the public. As companies begin to sign on, the voluntary code should help improve consumer awareness, choice and consent and controls on access, the White House says.