Obama Seeks to Nationalize Breach Notification

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/obama-seeks-to-nationalize-breach-notification-a-7774

President Obama is proposing a national data breach notification law that
would require businesses to notify consumers within 30 days of a breach.

The Personal Data Notification and Protection Act, if enacted, would
supersede nearly four dozen state statutes that regulate data breach
notification. The bill is one of a series of measures Obama is proposing in
a speech at the Federal Trade Commission on Jan. 12 that the White House
says is aimed at protecting American companies, consumers and
infrastructure from cyberthreats while safeguarding privacy and civil
liberties.

Obama also is outlining new steps by the government to assist victims of
identity theft, including supporting the Federal Trade Commission in its
development of a new one-stop resource for victims at IdentityTheft.gov and
expanding information sharing to ensure federal investigators' ability to
regularly report evidence of stolen financial and other information to
companies whose customers are directly affected.

The president's proposals come as the cyber-attack on Sony Pictures
Entertainment still reverberates and the impact of breaches on Target, Home
Depot and a number of other businesses and banks continue to be felt.

Bringing Peace of Mind

According to a White House fact sheet, the president is proposing the
national data breach notification law "to bring peace of mind to the tens
of millions of Americans whose personal and financial information has been
compromised in a data breach."

The Personal Data Notification and Protection Act would clarify and
strengthen the obligations companies have to notify customers when their
personal information has been exposed, including establishing a 30-day
notification requirement from the discovery of a breach, while providing
companies with the certainty of a single, national standard. The proposal
also would criminalize illicit overseas trade in identities.

"As cybersecurity threats and identity theft continue to rise, recent polls
show that nine in ten Americans feel they have in some way lost control of
their personal information - and that can lead to less interaction with
technology, less innovation, and a less productive economy," the White
House says in a statement issued in advance of the president remarks.

This isn't the first time Obama has proposed a national breach notification
bill. In 2011, as part of a comprehensive cybersecurity legislative agenda,
the president offered a similar bill that would have required businesses to
notify consumers in 60 days, not 30 days as in the new measure (see Obama
Offers Breach Notification Bill). Over the years, lawmakers have proposed
nationalizing data breach notification, but none of the bills ever came up
for a vote by either the House or the Senate.

The HIPAA breach notification rule already requires notification within 60
days for health data breaches affecting 500 or more individuals.

Challenges of Nationalizing Breach Notification

The idea of nationalizing data breach notification is appealing to
businesses because it would enable them to follow one law rather than 47
different ones. However, the challenge in getting a national breach
notification law enacted is building a consensus on the provisions in the
bill, such as how promptly a business would have to notify consumers of a
breach and what types of breaches would warrant notification. Businesses,
generally, seek less onerous provisions than those sought by privacy groups.

In the FTC speech, Obama also is disclosing that JPMorganChase, Bank of
America, USAA and State Employees' Credit Union - in partnership with Fair
Isaac Corp., known as FICO - will join the growing list of firms making
credit scores available for free to their consumer card customers. In
addition, Ally Financial is making credit scores available to its auto loan
customers.

"Through this effort over half of all adult Americans with credit scores
will now have access to this tool to help spot identity theft, through
their banks, card issuers or lenders," the White House statement says.

Safeguarding Student Data

The president's measures also are aimed at safeguarding student data in the
classrooms. Obama is proposing a new law, the Student Digital Privacy Act,
which would ensure data collected in the educational context is used only
for educational purposes. The White House says this bill would prevent
companies from selling student data to third parties for purposes unrelated
to the educational mission and from engaging in targeted advertising to
students based on data collected in school.

As the president is delivering his remarks, the Department of Energy and
the Federal Smart Grid Task Force are releasing a new voluntary code of
conduct for utilities and third parties aimed at protecting electricity
customer data, including energy usage information. The White House says the
voluntary code reflects a year of expert and public consultation, including
advice from industry stakeholders, privacy experts and the public. As
companies begin to sign on, the voluntary code should help improve consumer
awareness, choice and consent and controls on access, the White House says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!