Obama's Breach Notification Plan Lacks SpecificsA Big 'But' on Endorsements for Initiative
President Obama's call for enactment of a national data breach notification law has been widely welcomed by business groups and privacy advocates, but their endorsements come with a big proviso: What's in it? The White House hasn't provided details, yet.
See Also: HIPAA Audits: A Revised Game Plan
The groups largely agree that a national breach notification law makes sense because it would simplify the reporting of data breaches. As-is now, businesses must comply with 47 different state statutes. With a national law, there would be only one set of rules to follow. But as the old saw goes, the devil is in the details, and the White House has yet to give a timetable for when it will reveal those particulars.
Except for a requirement that businesses notify customers within 30 days of a data breach, few details about Obama's proposal have been made public by the White House, despite repeated requests to do so. And even the 30-day requirement is murky; exceptions to the time limit could delay notification.
The National Retail Federation endorses Obama's call to nationalize data breach notification, but "with a caveat," says NRF Media Relations Director Stephen Schatz. "We do remain a bit concerned about the 30-day timeframe," he says. "We don't know all of the details; we don't know if there's any loopholes or restrictions or delays based on certain patterns or metrics. All we know is that you heard 30 days."
Consumer rights advocates also have expressed concerns about Obama's proposal, especially if a national statute would weaken strong protections some states furnish in their laws. They say states should be allowed to implement more stringent requirements if the federal law isn't as tough as some state statutes.
"It's good that the president has re-focused on privacy and data security issues, but it would be terrible if his proposals preempt stronger state laws and offer less protection," says John Simpson, privacy project director at the not-for-profit advocacy group Consumer Watchdog. "Any national consumer privacy laws should be a floor, not a ceiling. States must be allowed to enact stronger measures."
Yet that wouldn't placate most businesses that seek simplification brought on by a single law. "Any federal standard should therefore contain strong state pre-emption language," says Elizabeth Hyman, executive vice president for public advocacy at TechAmerica, a high-tech industry trade group.
Flashback to 2011
To get an idea what might be in Obama's new proposal, look at the White House's 2011 national data breach notification initiative. That bill would have given businesses up to 60 days to notify consumers and the Federal Trade Commission of a breach unless there was no reasonable risk of harm or fraud. Other provisions in the 2011 legislative proposal included:
- Businesses receiving a 30-day extension in reporting breaches in order to conduct further investigation.
- Businesses being exempted from reporting if they would conduct risk assessments that show the breach didn't harm individuals whose personally identifiable information was exposed, the exposed data were rendered unusable through technology generally accepted by IT security experts; or participate in a security program that effectively blocked the use of the sensitive PII.
- Instituting civil penalties of up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct was found to be intentional.
- Businesses having to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For larger breaches, businesses also would have had to notify national credit reporting agencies.
The 2011 legislation also would have required certain breaches to be reported to an entity designated by the secretary of Homeland Security, including cases affecting more than 5,000 individuals; breaches involving a database containing information on more than 500,000 individuals nationwide; breaches involving databases owned by the federal government; or breaches involving employees or contractors to the federal government involved in national security or law enforcement.
Timing Behind Obama Proposal
White House Press Secretary Josh Earnest, at a briefing Jan. 12, sidestepped a question on how the new proposal differs from the 2011 one. But he said the timing is right to propose such legislation because the Sony breach gets the attention of lawmakers.
"The proposal that we have sent up, or will send up, is one that does have the strong support of consumer groups because they recognize how important it is for companies to fulfill their obligations to communicate clearly with their consumers and their customers to make sure those customers can take appropriate steps to protect their privacy and protect against identity theft," Earnest said. "At the same time, this is also welcome news to industry, because this clarity associated with one specific national standard would make it clear to them what sort of obligations they need to fulfill to their customers."
Notwithstanding the president's proposal, lawmakers who have sponsored data breach notification bills in the past, including Democratic Sens. Patrick Leahy of Vermont and Dianne Feinstein of California, says they'll do so again in the current Congress. "In just the last 18 months, many millions of Americans have had data stolen in hacks of Target, Neiman Marcus, Home Depot, Sony, JP Morgan Chase and other companies," Feinstein says. "Cyber-attacks cost the economy hundreds of billions of dollars a year, and this will only get worse. Congress must take steps to minimize the damage."
Advancing the State of the Union Address
Obama outlined his latest data breach notification proposal along with other initiatives aimed at protecting consumer online privacy and battling identity theft during a Jan. 12 speech at the Federal Trade Commission (see Obama Seeks to Nationalize Breach Notification). The president is spending the first half of this week promoting his cyber agenda in advance of his State of the Union address that will feature steps to promote and safeguard the digital world. On Jan. 13, Obama will visit the Department of Homeland Security to outline his cyberthreat information sharing plan, and on Jan. 14 he travels to Iowa to promote broadband access. "I'm laying out some new proposals on how we can keep seizing the possibilities of an Information Age, while protecting the security and prosperity and values that we all cherish," he said in his FTC speech.
President Obama explains the need for a national data breach law.
Also on Jan. 13, Obama is meeting with key lawmakers to discuss his cyber agenda. One of those lawmakers is the newly minted chairman of the Senate Commerce, Science and Transportation Committee, John Thune, R-S.D. Thune says he's ready to work with the president on data breach notification and other cybersecurity legislation. But his statement about the president's agenda had a partisan ring to it: "I welcome President Obama back to the discussion on cybersecurity in the wake of the highly publicized cyber-attack on Sony Pictures," says Thune, who took over chairmanship of panel, which would consider data breach notification legislation, after the Republican victory in November's election.
Thune complains that Obama didn't do enough late last year to get the then-Democratic majority in the Senate to enact other cybersecurity-related bills, including one to share cyberthreat information. "President Obama's engaged support for similar legislation this Congress would help address cyberthreats, improve privacy protections and would also begin to address concerns over the president's go-it-alone approach of unilateral executive actions on cyber and other issues."
White House's Disappointment with Congress
Earnest, at the press briefing, declined to explain how the cyberthreat information sharing proposal the president will present on Jan. 13 differs from the House-passed Cyber Intelligence Sharing and Protection Act, a measure that the White House twice threatened a veto in the past two congresses. "Well, we'll save tomorrow's news for tomorrow," he said. "But you have heard me say on a number of occasions that we've been pretty disappointed that Congress has not fulfilled their responsibility that they have to deal with this critically important issue."
The administration threatened a veto because White House officials contend CISPA didn't go far enough to protect individuals' privacy and went too far in furnishing liability protection to businesses that shared cyberthreat information.
"We would hope that that would not be something that would get bogged down in partisan debates," Earnest said. "This is something we should all be able to agree on. We'll see. I think the same thing - same description could apply to the kinds of cybersecurity legislation that the president looks forward to talking about tomorrow. But for the details of that, we'll have more on that for you."