In his January 20 State of the Union address, President Obama said, “We are a strong, tight-knit family who has made it through some very, very hard times.” This statement was used as a theme for the economic initiatives set forth in the speech, but it can also describe the intent and possible effect of the president’s cybersecurity and privacy initiatives, which he previewed in greater detail in a January 12 speech at the Federal Trade Commission (FTC). Per these initiatives, 2015 is set to be a year of increased cybersecurity and data privacy regulation and enforcement. Additionally, in the face of increased collection and use of information by businesses, as well as the devastating data breaches experienced in recent years, the initiatives are meant to improve the security of personal information. The initiatives also aim to make safeguarding information a top priority for companies so that “no foreign nation, no hacker, [would] be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids”.
“If we’re going to be connected, then we need to be protected.” — President Obama on tackling identity theft
In this area, the president revealed several initiatives, which are summarized below.
- Cybersecurity Information Sharing Plan: Under this plan, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center would share information on threats, in as close to real time as possible, with private sector organizations, which the White House called "Information Sharing and Analysis Organizations." These organizations would then provide details to businesses, and businesses would report problems to the organizations, which would convey the information to the National Cybersecurity and Communications Integration Center. Although this initiative encourages information sharing, it has been criticized for failing to effectively cement civilian control over the information-sharing program because it requires near-real-time sharing with military and intelligence agencies, such as the National Security Agency.
- Personal Data Notification and Protection Act: The Act, which is based on the White House’s 2011 cybersecurity proposal, is intended to create a single, strong national standard for informing consumers of data breaches within 30 days of discovery of the breach. The deadline for reporting also would be 30 days. The Act will likely apply to companies that handle sensitive personally identifiable information of more than 10,000 individuals during any 12-month period. Entities covered by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) would be exempt from the proposed law.
The Act is meant to preempt state law and replace the patchwork state and federal data breach notification laws, which the president described as confusing and costly to comply with. States, however, would be able to require that a breach notice under the Act also include information regarding victim protection assistance provided for by that state. The Act would not contain provisions allowing individuals to file lawsuits.
Under the Act, even if consumers are not informed of the breach, the FTC must be informed within 30 days of the company's assessment that “there is no reasonable risk” that the breach harmed or will harm the individuals whose information was affected by the breach. Penalties for failing to notify individuals would be $1,000 per individual per day, up to $1 million per breach incident. Critics of the proposed Act regard the 30-day timeframe as overly lax and object to this standard preempting stricter state laws. These critics prefer a federal baseline that would leave the states with the freedom to establish stronger standards. Other objections note that a preemption clause would also take away protections of strict state laws pertaining to health information, as those are not preempted by the HITECH Act.
- Identifying and Preventing Identity Theft Initiative: The president mentioned this initiative, which is intended to make credit scores more easily available to consumers. Through this effort, more than half of all adult Americans with credit scores will now have access to a tool to help spot identity theft through their banks, card issuers or lenders.
- FTC Consumer Assistance: The president announced that the government would take new steps to assist victims of identity theft, including supporting the FTC in their development of a new one-stop resource for victims at IdentityTheft.gov and expanding information sharing to ensure that federal investigators have the ability to regularly report evidence of stolen financial and other information to companies whose customers are directly affected.
Keeping Children Safe and Smart Online: Safeguarding Student Data in the Classroom and Beyond
- Student Digital Privacy Act: The bill, modeled after California statute SB 1177, would prevent companies from selling student data to third parties for purposes unrelated to an educational mission and from engaging in targeted advertising to students based on data collected in school. It would, however, still permit important research initiatives to improve student learning outcomes and efforts by companies to continuously improve the effectiveness of their learning technology products.
- Private Sector Commitments to Enhance Student Privacy: The president announced that 75 companies have committed to the cause, signing a pledge to provide parents, teachers and children with important protections against misuse of a child’s data.
- Department of Education Tools: In connection with the Department of Education’s Privacy Technical Assurance Center, a new model terms of service will be put forth, as well as teacher training assistance, which will enhance the ability to ensure educational data is used appropriately and in accordance with the educational mission.
Energy and Financial Sectors
- Federal Payments Security: In October 2014, as part of his BuySecure Initiative, the president issued an Executive Order laying out a new policy to secure payments to and from the federal government by applying chip and PIN technology to newly issued and existing government credit cards and debit cards, such as Direct Express. The initiative also included upgrading retail payment card terminals at federal agency facilities to accept chip and PIN-enabled cards. This accompanied an effort by major companies, like Home Depot, Target, Walgreens, and Walmart, to roll out secure chip and PIN-compatible card terminals in stores across the country.
- Voluntary Code of Conduct for Smart Grid Customer Data Privacy: The Department of Energy’s Office of Electricity Delivery and Energy Reliability and the Federal Smart Grid Task Force are releasing a newVoluntary Code of Conduct (VCC) for utilities and third parties, which is aimed at protecting consumer information collected through the electricity smart grid. The VCC deals with data collection policies, consumer control and access to data for secondary purposes, access data and the ability to correct it and storage of data. Per the VCC, (i) customers should be given clear and conspicuous notice about privacy-related policies and practices as part of providing service, both in advance of the service and when there is a change in the purpose/use; (ii) customers should have a degree of control over access to their customer data; (iii) customers should be able to access their data in a manner that is convenient, timely and cost-effective; (iv) customer data should be as accurate as reasonably possible and secured against unauthorized access and (v) there should be enforcement mechanisms in place to ensure compliance with the foregoing concepts and principles.
Consumer Privacy Bill of Rights
The president announced that, within 45 days, legislation will be proposed to modify the 2012 version of theConsumer Privacy Bill of Rights. The amended version would promote consumers’ ability to (i) decide what personal data companies collect from them and how companies use that data; (ii) know that their personal information that is collected for one purpose cannot then be misused by a company for a different purpose and (iii) have their information stored securely by companies that are accountable for its use.
The State of the Union address and the speeches that preceded it clearly flag 2015 as a year of increased scrutiny and enforcement with respect to privacy and data security in all sectors. The legislative initiatives will undoubtedly be met with stiff opposition from a Republican-controlled Congress. The FTC and other regulators, however, may take up the torch. Businesses should not delay in taking steps to ensure that their existing policies and procedures comply with the principles set forth in the various initiatives. As these initiatives build on similar principles in existing federal and state laws, planning ahead is possible and advisable and will put companies in a good position for compliance.