On January 13, 2015, President Obama announced legislative proposals and administration efforts with respect to cybersecurity, including a specific proposal for a national data breach notification standard. Aside from the national data breach notification standard, the President’s other proposals are designed to (1) encourage the private sector to increase the sharing of information related to cyber threats with the federal government and (2) modernize law enforcement to effectively prosecute illegal conduct related to cybersecurity.
The proposed national data breach notification standard is largely preemptive of state data breach notification laws and would require businesses to notify affected individuals if their sensitive personally identifiable information (“SPII”) is subject to a “security breach.” Key aspects of the proposal are uniformly onerous from a business perspective. For example:
- The definition of SPII is broadly construed and differs from corresponding definitions of personal information under state data breach notification statutes.
- Businesses would have thirty days to notify affected individuals of a security breach, with limited exceptions. Businesses would not need to notify affected individuals if “there is no reasonable risk of harm or fraud” to the affected individuals. This high threshold, combined with the need to conduct a risk assessment and report the results to the FTC in order to rely on it, creates a more onerous standard than the majority of state laws with respect to consumer harm.
- Businesses are required to notify individuals directly and provide media notification in any state with more than 5,000 affected individuals.
- Businesses must notify “an entity designated by the Department of Homeland Security” within 10 days of discovering the breach.
In addition to breach notification, President Obama’s proposal encourages the private sector to share “appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center” (“NCCIC”). According to the announcement, the NCCIC will then share the cyber threat information with (1) appropriate federal agencies and (2) Information Sharing and Analysis Organizations (“ISAOs”), which are developed and operated by the private sector. To encourage sharing with ISAOs, the Obama Administration’s proposal grants “targeted liability protection” to companies that share the cyber threat information they acquire.
A third proposal seeks to modernize law enforcement to effectively combat illegal activities relating to cybersecurity. For example, according to the announcement, the proposal “would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give the courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.”