President Obama Proposes National Breach Notification Standard
The Personal Data Notification and Protection Act would require that consumers be notified of all breaches within 30 days.
In a speech at the Federal Trade Commission on January 12, 2015, President Obama proposed a nationwide breach notification standard that would require all U.S. companies to notify consumers of a breach within 30 days.
"In recent breaches, more than 100 million Americans have had their personal data compromised, like credit card information," Obama said. "When these cyber criminals start racking up charges on your card, it can destroy your credit rating. It can turn your life upside down. It may take you months to get your finances back in order. So this is a direct threat to the economic security of American families and we’ve got to stop it."
"Right now, almost every state has a different law on [breach notification], and it’s confusing for consumers and it’s confusing for companies -- and it’s costly, too, to have to comply to this patchwork of laws," Obama said.
The proposed Personal Data Notification and Protection Act, according to the White House, "clarifies and strengthens the obligations companies have to notify consumers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. The proposal also criminalizes illicit overseas trade in identities."
Tsion Gonen chief strategy officer for Identity and Data Protection at Gemalto, told eSecurity Planet by email that the existing patchwork of data breach regulations in different states is a real problem. "The Personal Data Notification Act is an important step in changing the way companies implement appropriate security controls to protect customer data," he said.
Still, Gonen said that while the law will set clear notification periods, much more needs to be done to improve breach disclosure. "Not all breaches are alike, and by separating out 'secure' breaches (where the data was rendered useless before it was stolen) from insecure ones (where companies did not do what they could to protect customer data), we will get a clearer view of the data breach epidemic and develop better strategies to curb it," he said.
Steve Hultquist, chief evangelist at RedSeal, said by email that the new law will likely create additional pressure on organizations to work harder to avoid breaches rather than simply responding to them. "To avoid being breached, organizations have to be able to see and comprehend their extensive and complex network-interconnected systems and to know all possible attack vectors before they are exploited," he said. "The most visionary organizations understand that this analysis is actually possible, and deploy systems to continuously monitor their network and systems to safeguard their customers' information and their critical assets."
And Frank Keating, president and CEO of the American Bankers Association (ABA), said in a statement that the ABA "appreciates the White House's engagement" on data breach issues. "We fully support legislation that will help facilitate increased cyber intelligence information sharing between the private and public sectors in a manner that protects consumer privacy and allows information sharing on serious threats to our critical infrastructures," he said.
Still, Robert Cattanach, partner at law firm Dorsey & Whitney, told eSecurity Planet by email that not only is the new law long overdue, but it "may not receive the support it once could have from the business community, and is likely to get stalled in the inevitable disagreement over how it would be enforced (administratively by the FCC or class actions in the courts), and whether it will preempt more aggressive state laws -- the last issue may be a deal-killer either way."
Photo courtesy of Shutterstock.