Yesterday, January 12th, President Obama spoke regarding data breach notification; consumer privacy; student privacy; and the accessibility of credit scores. He noted that he will address these topics in his State of the Union Address on January 20th, suggesting that these issues are likely among the Administration’s major initiatives for the remainder of the President’s term. Certainly, these issues are now more prominent than ever before, and the Hill may become seriously engaged. The Presidential focus, of course, presents both opportunities and challenges.
In choosing to speak at the Federal Trade Commission, the President noted that he is the first president to visit the FTC in 80 years, and also highlighted his relationship back to law school with Chairwoman Edith Ramirez. We believe that the White House will likely look to the FTC for significant leadership on these issues.
Personal Data Notification and Protection Act
The proposed “Personal Data Notification and Protection Act” would create a single, national notification standard, which is a provision strongly supported by the business community. The proposal would also require companies to notify customers within 30 days; only one state (Florida) requires notification within such a short period. This recognition of the importance of a single, uniform breach notification standard stands in contrast to the position taken by many Congressional Democrats and consumer groups, who have opposed a uniform notification standard.
Student Digital Privacy Act
The President also indicated that he would be proposing the “Student Digital Privacy Act,” which would prevent companies from selling K-12 student data collected in an educational context to third parties for non-educational purposes. He specifically noted that this proposal would prevent targeted advertising to students based on that data. To our knowledge, yesterday marks the first occasion that a president has publicly mentioned “targeted advertising.”
The President stated that he, “won’t wait for legislation,” and that the Department of Education will offer new tools to help schools, teachers, and technology companies cooperate to protect student privacy. So far, 75 companies have signed a Student Privacy Pledge, committing not to sell student information or use educational technologies for targeted advertising.
The proposal is based on a California bill that may be becoming the de facto student privacy standard (a verbatim version is pending in the Florida state legislature as H.B. 59), though there are concerns that as more states examine this issue, they may seek to implement standard different than California.
The President announced that several companies, including JPMorgan Chase and Bank of America, will “join the growing list of firms making credit scores available for free to their consumer card customers.” The President, however, is not calling for legislation requiring that more companies follow suit, saying only “we’re encouraging more companies to join this effort every day.” The President characterized the effort as helpful for consumers to recognize identity theft at an early stage.
Consumer Privacy Bill of Rights
The President stated that the Administration will also revise and release its Consumer Privacy Bill of Rights, which it originally proposed in February 2012. A bill was never introduced, even by sympathetic Democrats; indeed, Democrats never held a related hearing when they held a Senate majority. The President stated that he intends to publish the bill “by the end of next month.”
The President also spoke about cybersecurity legislation at the National Cybersecurity and Communications Integration Center.
The President’s proposal would give liability protection to companies that provide the Department of Homeland Security (DHS) or certain private-sector-created information and analysis organizations with information, stripped of consumer PII, that indicates cyberthreats and cyberattacks. Industry and consumer groups agree that adequate means exist for information sharing, but industry argues that a lack of immunity prevents many firms from actually doing so.
The proposal would also:
- Provide for the prosecution of the sale of botnets and provide courts the authority to shut down botnets;
- Criminalize overseas sale of stolen U.S. credit card and bank account numbers;
- Expand federal law enforcement authority against the sale of spyware used for stalking or for identity theft;
- Require DHS to rapidly share such information with other federal agencies, including the Federal Bureau of Investigation, Secret Service, the National Security Agency, and the Pentagon’s Cyber Command; and
- Require the Attorney General to develop guidelines for the government’s use and retention of data.
AGG sources indicate that several Members of Congress are considering introducing legislation addressing data breach notification, and there are indications that several privacy bills may be in the works, as well. Republicans, broadly, are eager to get out in front on these issues and are looking to promote a number of bills that address several aspects of this issue.
- The Administration may be considering industry codes of conduct, which may require approval from the FTC.
- The President acknowledged that the business community has taken the lead in protecting the privacy of consumers, indicating that the Administration understands that companies take consumers’ privacy seriously, and do not simply seek to exploit consumer data.
- The President did not mention data brokers or limits on government data collection (such as ECPA or NSA reform).