President Proposes National Breach Notification Standard

President Obama today announced plans to propose a national data breach notification standard, a consumer privacy bill of rights, and privacy protection for students using electronic learning materials.

Lacking precious detail, President Obama today proposed a national data breach notification standard, legislation that would mandate breached companies notify affected consumers inside of 30 days.

The national law would supersede the current collection of state laws that govern notification currently.

“Right now, every state has a different law,” Obama said in introducing the Personal Data Notification and Protection Act before the Federal Trade Commission in Washington, D.C. “It’s confusing for consumers and companies, and costly to comply with this patchwork of laws.”

The granddaddy of state data breach laws is California’s landmark SB 1386, which was enacted in 2003 at the crest of early public data breaches. EFF legislative analyst Mark M. Jaycox said whatever comes out of Obama’s proposed national standard must be on par with California’s law.

“California’s law is simple and gives a very clear standard for notification,” Jaycox said. “If any person’s information is leaked, the company has a reasonably quick time period to inform. It stands out for its clarity and simplicity.”

Right now, only Alabama, New Mexico and South Dakota have no law related to data breach notification.

“The state laws are difficult to navigate to the extent that there are different standards and thresholds when releasing information,” Jaycox said. “Most companies choose the strictest to follow, or they follow the California law.”

Obama said the national legislation would also work toward closing loopholes in current legislation that make it difficult for law enforcement to pursue hackers selling the personal and payment card information of Americas overseas. The president said that tomorrow he is scheduled to meet with the Department of Homeland Security to work out measures to help the private sector defend against attacks.

“This is a direct threat to the economy and the security of American families. We’ve got to stop it,” Obama said, subtly referring to a yearlong barrage of hacks against private American companies in 2014, starting with Target, through Home Depot and the damaging Sony hack. “If we are going to be connected, we need to be protected. We shouldn’t forfeit our privacy when we’re going online to do our business.”

The president also announced a consumer privacy bill of rights, new legislation he expects to be introduced at the end of February that identifies privacy principles, and preserves those while allowing enterprises to continue to innovate.

“Consumers have a right to know what data companies are collecting from them and how companies use that information,” Obama said. “Right now, they know information may be collected for one purpose, but it may be misused for different purposes. There ought to be basic baseline protections across industries.”

He also announced pending legislation called the Student Digital Privacy Act designed to protect the personal information of school-aged children operating in large part inside of digital classrooms. More textbooks are electronic and more assignments are given via online portals. The announced legislation aims to curb any abuses in mining student data from their interactions with those digital learning tools.

“We’ve seen instances where companies are collecting student data for commercial purposes for targeted advertising,” Obama said. “Parents have legitimate concerns about those practices. [The legislation] ensures that data collected from students in the classroom is used for education, to teach children, not to market to our children.”

Obama hinted that more detail could be forthcoming at next week’s State of the Union address where he hopes to reach out to the new Republican-controlled Congress for help to push these initiatives through.

“These issues transcend partisan divides,” Obama said.

Suggested articles

Discussion

  • clarify jaycox comment on

    The comment, "Most companies choose the strictest one to follow or they follow the California one." - those who take the Calif route, is it because it is one if the easiest to follow is it the strictest of all State data breach notification laws? In addition, isn't the notification requirement more a part of a Privacy Information Law where either Nevada or Massachusett's version takes top billing for being the toughest?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.