The White House on Thursday proposed a new federal data breach notification law in an attempt to clarify a mish-mash of laws already on record. The notification comes as part of a much-delayed cybersecurity legislative proposal unveiled on Capitol Hill this week.
The sweeping reform comes nearly two years after President Obama issued his Cybersecurity Policy Review (.PDF) that branded cyberspace and its security as a “key strategic asset” to the United States.
The Obama administration’s latest would help the general public by requiring businesses to notify customers if their sensitive data has been exposed following a data breach. Assuming there’s no reasonable risk of harm or fraud; companies would have 60 days to inform customers and the Federal Trade Commission.
In addition to the FTC and customers affected, companies would also have to inform local news media and credit reporting agencies if more than 5,000 individuals are affected.
A post by White House Cybersecurity Coordinator Howard Schmidt on the White House’s blog, hopes the plan creates incentives for “organizations to have better data security in the first place.” The policy in question would supplant a patchwork of laws currently enacted in 47 states that dictate how long a business should take to notify its customers.
The rest of Obama’s proposal aims to strengthen criminal punishments for infiltrating critical infrastructure and adds flexibility to the Department of Homeland Security’s (DHS) role surrounding attacks. The legislation clarifies that the DHS can work directly with those who run critical infrastructure to prevent future intrusions and looming threats.
A .PDF of the data breach notification is available for viewing here.