“If we’re going to be connected, we’ve got to be protected.” With those words President Barack Obama unveiled new consumer privacy legislation and new cybersecurity and privacy partnerships between the federal government and the private sector at the Federal Trade Commission (FTC) on January 12, 2015. The president recognized that the growing problem of cyber-attacks costs the U.S. billions of dollars, and stated that cybersecurity incidents were “…a direct threat to the economic security of American families, and we’ve got to stop it.”
The president’s new security initiatives include:
Initiatives to Improve Consumer Confidence and Fight Identity Theft
- The proposed Personal Data Notification & Protection Act will set a uniform 30-day breach notification period across the country. Currently, the time period for companies that hold personal identifiable information varies in each of the 47 states that have enacted breach notification laws. The president recognized that the different state laws create confusion for consumers and companies, and it can be costly for companies to comply with each state’s different laws. The bill would also criminalize the overseas trade of personally identifiable information.
- The president is also looking for a commitment from various financial institutions to offer credit scores for free to their customers.
Initiatives to Safeguard Student Data in the Classroom and Beyond
- The Student Digital Privacy Act, which will be modeled after a California statute that prohibits the use of data collected in the educational context for non-educational purposes, will prohibit the sale of student data to third parties for purposes unrelated to education and would prohibit a company’s use of student data collected in school for targeted advertising. The law will contain exceptions for important research initiatives to improve learning outcomes and the effectiveness of learning technology products.
- The president has issued a challenge for more companies to commit to the Future of Privacy Forum’s and the Software & Information Industry Association’s pledge to provide parents, teachers, and students with protections that prohibit the misuse of their data.
- Tools from the U.S. Department of Education and its Privacy Technical Assurance Center will help protect children from invasions of privacy that include model terms of service and teacher training to ensure the proper use of education data only for educational purposes.
Convening the Public and Private Sector to Tackle Emerging Privacy Issues
- After a year of expert and public consultation with industry stakeholders and privacy specialists, the U.S. Department of Energy and the Federal Smart Grid Task Force will release a new Voluntary Code of Conduct (VCC) for utilities and third parties to protect electric customer data based on the privacy principles of choice, consent, and access controls.
Promoting Innovation by Improving Consumers’ Confidence Online
- The administration will release revised legislation drafted by the U.S. Department of Commerce that would hold companies responsible to only collect, use, and disclose a consumer’s personal information consistent with the context and purpose that the consumer provided the data.
The president will discuss his new proposed measures in more detail during the State of the Union address. The new initiatives build on the president’s previously announced consumer privacy and anti-identity theft proposals that include the BuySecure Initiative, which requires the use of chip and PIN technology in government credit cards and for federal agency facilities to update transaction terminals to use this technology, and new steps by the government to detect identity theft and help identity theft victims.
Impact on Business
The new laws would impose significant new restrictions on businesses’ use of student information, as well as restrict the collection, use, and disclosure of consumer information. Businesses should minimize the amount and type of data they collect to only what is necessary to perform the service they provide. Businesses may also begin to receive queries from consumers and business partners if they have adopted and comply with the applicable voluntary privacy practices.
It is unclear if and when Congress will act on the new bills – Congress has either stalled or rejected previous cybersecurity bills. The new breach notification law, if enacted, will set a standard notification period for businesses that suffer a security breach that exposes personal information and will significantly simplify businesses’ efforts to comply with the various time periods set forth in each state’s breach notification law. In the past, the challenge to passing a federal breach notification law was whether the law would preempt stricter state laws. While businesses are hoping for a single standard, privacy advocates are pushing to keep stricter state laws intact.
Additional information on these initiatives is available on the White House website.