President Barack Obama on Monday called on Congress to enact federal legislation that would force American companies to be more forthcoming with information and updates when credit card data and other consumer information are stolen in online breaches.
The move follows high-profile breaches at retailers and other companies last year including Target, Sony, Home Depot and Neiman Marcus.
In addition to the customer notification legislation, Obama will also ask lawmakers to pass the Student Digital Privacy Act. The measure would prohibit companies from selling student data to third parties, a move spurred by the increased use of technology in schools that can scoop up personal information.
One National Standard
The Personal Data Notification and Protection Act would create a single, national standard that would obligate companies to inform their customers within 30 days after discovering their data has been hacked. The proposed act was announced by Obama Monday during a speech at the Federal Trade Commission (FTC).
Obama said that the current assortment of state laws covering hacking incidents does not sufficiently protect Americans and is a burden for companies that do business across the country. The president's proposals are part of a weeklong focus on privacy and security ahead of next week's State of the Union address.
If passed by Congress, the Personal Data Notification and Protection Act could require companies located in the United States to notify customers within 30 days after their personal information has been compromised. Recent hackings have exposed the lack of uniform practices for alerting customers in the event of a breach. The legislation, which would be partly based on an existing statute in California, would also make it a crime to sell customers' identities overseas.
"As cybersecurity threats and identity theft continue to rise, recent polls show that nine in 10 Americans feel they have in some way lost control of their personal information -- and that can lead to less interaction with technology, less innovation and a less productive economy," according to a White House briefing document on the proposed legislation.
30-Day Shot Clock
We reached out to Rick Holland, principal analyst, Security & Risk Management, at Forrester, who told us that many companies don't provide breach notification unless they are compelled to do so via regulatory means. He said that Obama's proposal would address that issue.
"It would also reduce the extreme complexity of domestic breach notification laws," Holland told us. "There are entire consulting practices around helping companies understand who, what and how they must provide breach notification. A national breach notification law with a high-water mark would be a good step towards better protecting consumers."
Under the proposed law, the discovery of a breach would trigger a 30-day "shot clock" that requires notification of customers and clarifies when breaches must be disclosed. The FTC would have the power to issue penalties to companies that did not comply.
"One downside of a 30-day shot clock is that often times incident response activities are still continuing and required notification could tip off the adversary that the company is investigating the intrusion," Holland said. "This, however, is more likely to benefit the company versus the consumer."
It's unclear whether the new Republican-led Congress will take up either of Obama's legislative proposals or whether policy disputes in other areas could delay congressional action on the proposals.