Data security and privacy concerns received special attention in President Obama’s State of the Union address where the President advocated his recently released data security and privacy legislative proposals. During the speech, with respect to data security, President Obama urged Congress to pass legislation that would guard against cyberattacks, combat identity theft, and protect children’s data. He called for a bipartisan effort and noted that failing to take action would leave the country and the economy vulnerable. President Obama addressed privacy concerns in the context of the government’s surveillance programs. He noted that intelligence agencies have worked with the recommendations of privacy advocates to increase transparency and build more safeguards against potential abuse. He promised to release a report next month explaining how the government has protected both national security and privacy interests.
Leading up to the State of the Union, President Obama announced several pieces of legislation touching on privacy, data security, and data breach notification with potential ramifications for businesses nationwide.
“If we’re going to be connected, then we need to be protected,” President Obama said, characterizing the time as a “dizzying age of technology and innovation.”
In a speech at the Federal Trade Commission, the President unveiled his Personal Data Notification & Protection Act, a bill that would establish nationwide, uniform consumer data breach notification rules in lieu of the current patchwork of 47 different state laws. The law would beef up criminal penalties for hackers and features a requirement that companies notify consumers of a breach within 30 days.
A second piece of proposed legislation, the Student Digital Privacy Act, which would prohibit the sale of sensitive student data for non-education purposes, has the support of 75 major companies (like Apple and Microsoft) that have already signed onto a student privacy “pledge” promising not to send them behaviorally targeted ads. “Data collected on students in the classroom should only be used for educational purposes, to teach our children, not to market to our children,” the President said.
By the end of February, President Obama said he intends to ask Congress to codify the Consumer Privacy Bill of Rights issued by the White House in 2012. If enacted, businesses would be held accountable for compliance with seven principles related to consumer privacy: individual control, transparency, request for context, security, access and accuracy, focused collection, and accountability.
The Bill of Rights sets out “basic baseline protections across industries,” the President explained. “For example, we believe that consumers have the right to decide what personal data companies collect from them and how companies use that data, that information; the right to know that your personal information collected for one purpose can’t then be misused by a company for a different purpose; the right to have your information stored securely by companies that are accountable for its use.”
The President continued his focus on privacy and data security with a visit to the National Cybersecurity Communications Integration Center, where he announced a legislative proposal intended to encourage businesses to share cyberthreat information with the NCCIC.
Pursuant to the bill, companies that share such information and take “measures to protect any personal information that must be shared” would be granted “targeted liability protection,” President Obama promised.
To read a transcript of President Obama’s remarks at the FTC, click here.
To read the Personal Data Notification & Protection Act, click here.
To read the proposal for sharing cyberthreats, click here.
Why it matters: President Obama’s State of the Union address, along with the President’s recent focus on multiple legislative measures, signals that the issue of privacy and cybersecurity will be front and center on his agenda for 2015. While recent high-profile cyberattacks could give the bills momentum and some groups have indicated their support for the laws, passage is not a done deal. For example, although the Direct Marketing Association and the Interactive Advertising Bureau praised the national data breach notification bill, Consumer Watchdog expressed concern that the proposal would preempt stronger state law protections. Could 2015 be the year for a national privacy or data breach notification law? It remains to be seen.