President Obama made a series of announcements on cybersecurity, data security, and privacy that will be incorporated into his State of the Union address tonight. In conjunction with the announcements, the White House released legislative proposals on cybersecurity information sharing and data breach notification. http://www.whitehouse.gov/omb/legislative_letters
On cybersecurity information sharing, the proposal authorizes private entities to share cyber threat information with the National Cybersecurity and Communications Integration Center (NCCIC) under the Department of Homeland Security, with information sharing organizations, and with law enforcement. The proposal requires private entities sharing cyber threat information to remove information that could be used to identify an individual. It also provides limited liability protection for the sharing of cyber threat information.
The proposal on data security requires companies to notify consumers of a breach involving their personal information within 30 days of discovery. The proposal gives dual enforcement and rulemaking authority to the Federal Trade Commission and the Federal Communications Commission (FCC) over entities subject to the authority of the FCC. It also gives dual enforcement and rulemaking authority to the FTC and Consumer Financial Protection Bureau over “financial information” and “information associated with financial products and services”. As such, it does not include an exemption for Gramm-Leach-Bliley regulated financial services companies, an exemption that has been included in most general Federal data breach notification bills. Most importantly, the proposal provides for Federal preemption of the disparate state data breach notification laws.
All of these issues are at the top of policy makers lists this year and these proposals will contribute to existing momentum in Congress.