In last week’s State of the Union address, President Barack Obama continued his ongoing push for nationwide privacy legislation to “better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” Recognizing the real threats posed by inadequate remedies for cybersecurity breaches, the president noted that “[n]o foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” He also reiterated his desire to ensure that “our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.”

In addressing these pressing issues, the president stated that failure to act will “leave our nation and our economy vulnerable” and described his interest in protecting “the technologies that have unleashed untold opportunities for people around the globe”—including “a free and open Internet”—and extending the Internet’s “reach to every classroom, and every community, and help[ing] folks build the fastest networks, so that the next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world.” The president tied the need to protect the country’s intellectual property to his hope for “Americans to win the race for the kinds of discoveries that unleash new jobs.”

These comments came just a week after the president’s recent visits to the Federal Trade Commission and the Department of Homeland Security, where he also discussed the privacy and cybersecurity challenges facing the nation. His clear messages focus on the need for federal data breach notification requirements, stronger anti-hacking laws, legislation addressing student privacy and cybersecurity issues, and surveillance reform. These initiatives plainly remind all of us of the ongoing need for businesses to devote substantial attention and resources to privacy issues in 2015 and beyond.

At a minimum, we suggest that all businesses:

  1. provide security training to all their employees and designate a specific individual within the organization who will be responsible for the company’s privacy obligations;
  2. conduct regular privacy/security risk assessments and audits to ensure that the company is taking reasonable measures to protect private data;
  3. remedy any identified risks promptly and thoroughly;
  4. minimize the amount of data collected and retained; and
  5. conduct business with third parties that take reasonable measures to protect data.