BreachExchange mailing list archives
Obama Seeks to Nationalize Breach Notification
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 12 Jan 2015 18:27:32 -0700
http://www.databreachtoday.com/obama-seeks-to-nationalize-breach-notification-a-7774 President Obama is proposing a national data breach notification law that would require businesses to notify consumers within 30 days of a breach. The Personal Data Notification and Protection Act, if enacted, would supersede nearly four dozen state statutes that regulate data breach notification. The bill is one of a series of measures Obama is proposing in a speech at the Federal Trade Commission on Jan. 12 that the White House says is aimed at protecting American companies, consumers and infrastructure from cyberthreats while safeguarding privacy and civil liberties. Obama also is outlining new steps by the government to assist victims of identity theft, including supporting the Federal Trade Commission in its development of a new one-stop resource for victims at IdentityTheft.gov and expanding information sharing to ensure federal investigators' ability to regularly report evidence of stolen financial and other information to companies whose customers are directly affected. The president's proposals come as the cyber-attack on Sony Pictures Entertainment still reverberates and the impact of breaches on Target, Home Depot and a number of other businesses and banks continue to be felt. Bringing Peace of Mind According to a White House fact sheet, the president is proposing the national data breach notification law "to bring peace of mind to the tens of millions of Americans whose personal and financial information has been compromised in a data breach." The Personal Data Notification and Protection Act would clarify and strengthen the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. The proposal also would criminalize illicit overseas trade in identities. "As cybersecurity threats and identity theft continue to rise, recent polls show that nine in ten Americans feel they have in some way lost control of their personal information - and that can lead to less interaction with technology, less innovation, and a less productive economy," the White House says in a statement issued in advance of the president remarks. This isn't the first time Obama has proposed a national breach notification bill. In 2011, as part of a comprehensive cybersecurity legislative agenda, the president offered a similar bill that would have required businesses to notify consumers in 60 days, not 30 days as in the new measure (see Obama Offers Breach Notification Bill). Over the years, lawmakers have proposed nationalizing data breach notification, but none of the bills ever came up for a vote by either the House or the Senate. The HIPAA breach notification rule already requires notification within 60 days for health data breaches affecting 500 or more individuals. Challenges of Nationalizing Breach Notification The idea of nationalizing data breach notification is appealing to businesses because it would enable them to follow one law rather than 47 different ones. However, the challenge in getting a national breach notification law enacted is building a consensus on the provisions in the bill, such as how promptly a business would have to notify consumers of a breach and what types of breaches would warrant notification. Businesses, generally, seek less onerous provisions than those sought by privacy groups. In the FTC speech, Obama also is disclosing that JPMorganChase, Bank of America, USAA and State Employees' Credit Union - in partnership with Fair Isaac Corp., known as FICO - will join the growing list of firms making credit scores available for free to their consumer card customers. In addition, Ally Financial is making credit scores available to its auto loan customers. "Through this effort over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers or lenders," the White House statement says. Safeguarding Student Data The president's measures also are aimed at safeguarding student data in the classrooms. Obama is proposing a new law, the Student Digital Privacy Act, which would ensure data collected in the educational context is used only for educational purposes. The White House says this bill would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school. As the president is delivering his remarks, the Department of Energy and the Federal Smart Grid Task Force are releasing a new voluntary code of conduct for utilities and third parties aimed at protecting electricity customer data, including energy usage information. The White House says the voluntary code reflects a year of expert and public consultation, including advice from industry stakeholders, privacy experts and the public. As companies begin to sign on, the voluntary code should help improve consumer awareness, choice and consent and controls on access, the White House says.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Obama Seeks to Nationalize Breach Notification Audrey McNeil (Jan 16)