In the wake of recent cyber attacks on U.S. companies, including the now famous Sony hack, President Obama has proposed new federal legislation that would presumably provide more security for confidential and private information of consumers that is and will be forevermore accessible from the very busy information superhighway.
What does that mean for your company? Here’s a rundown.
The idea behind the legislation is to prevent identity theft and improve consumer privacy by making more robust the level of security provided by corporations and businesses that have their hands in a consumer’s cyberpocket. The specifics include:
- Implementing a consumer “privacy bill of rights” to protect victims of data breaches suffered by businesses ranging from financial institutions, to retailers, to any other business that holds consumer data that should be kept secure.
- Requiring companies to notify consumers within 30 days whenever you’re the consumer’s personal data has been disclosed or accessed without proper authorization, whether by improper hacking, corporate misconduct, or simple negligence in maintaining security systems already in place.
- Allowing consumers to stay on top of their credit scores by giving them more than one free copy of their credit report each year and by requiring financial institutions to tell them their credit score more often, and without charge.
- Placing limits on data can be collected from students to prevent advertisers and website from collecting data to target youth for any reason other than educational purposes.
While the President’s ideas are laudable, many of the breaches that have already occurred involving consumer debt are simply due to employees downloading malware or other virus-infected software, or taking other action that should — in this day and age — be avoidable. For example, the New York Timesreported the recent hack into the J.P. Morgan system was the result of a server not being properly updated, a simple procedure that should be part and parcel of a company’s ordinary business operations these days.
The President is also going to have to convince some digital rights advocates who take issue with his proposal. Many assert that the President’s proposal would give companies legal immunity for sharing information about cyber security threats with the Government; a Government they are loathe to trust. They also object to the possible preemption of broad state laws already in effect with weaker, less effective federal substitutes.
Expect to hear more about this in the near term, but don’t expect any quick fix.
I think we can all agree with the President that, “If we are going to be connected, we have to be protected.” And the goal of providing more blanket federal protections rather than a mish mash of state protections isn’t a bad one. But like moving the Queen Mary in dry dock, this Congress won’t be making any decisions anytime soon.