A proposed national data breach reporting law, aimed primarily at protecting consumer privacy, headlined several initiatives the Obama administration announced Monday.
The Personal Data Notification & Protection Act clarifies the obligations of companies when there’s been a data breach. It includes a requirement to notify customers within 30 days of the discovery of a breach. It also criminalizes illicit overseas trade in identities.
The administration also has proposed the Student Digital Privacy Act. Based on a recently enacted California law, the federal legislation would prevent companies from selling student data to third parties for purposes unrelated to education, and bar them from engaging in targeted advertising of students based on data gathered from schools.
In addition, the U.S. Education Department will be releasing some model terms of service agreements and teacher training assistance to enhance school systems’ ability to protect educational data from being used inappropriately.
The administration further revealed that within 45 days, the U.S. Commerce Department will be filing legislation based on the White House’s Consumer Privacy Bill of Rights to establish clear principles for online transactions — principles aimed at preventing consumer expectations from being abused.
Sounds Good, but…
A number of financial institutions have agreed to provide free copies of credit reports to their customers, the administration also announced. They include JPMorganChase, Bank of America, USAA and State Employees’ Credit Union and Ally Financial.
In addition, the U.S. Department of Energy and Federal Smart Grid Task Force has released a voluntary code of conduct for utilities to protect consumer data gathered by energy companies, including energy usage information.
“It’s very good that the president is finally putting a new emphasis and focus on the need for consumer privacy and cybersecurity,” said John M. Simpson, director of the Consumer Watchdog Privacy Project.
Although some of what the administration is proposing “sounds good,” he said, there are concerns about the kind of breach notification law the White House would support.
“There’s a very real danger that something at the national level could potentially preempt stronger state protections, and that would be a bad thing if it goes that route,” Simpson told the E-Commerce Times.
Fear of Water
Currently 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands all have data breach notification laws of various strengths.
“A federal statute is warranted and would be helpful to harmonize our standards,” said Joel R. Reidenberg, founding academic director of the Center on Law and Information Policy at the Fordham University School of Law.
“If some watered down proposal is offered that preempts the more effective state statutes, that would not be desirable,” he told the E-Commerce Times.
A federal notification law shouldn’t entirely preempt state law, maintained Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy & Technology.
“A federal standard could be good if it were a strong standard and still allowed the states to experiment with new protections,” he told the E-Commerce Times.That can be done by establishing federal minimum standards, noted Marc Rotenberg, executive director of the Electronic Privacy Information Center.
“It is important to establish federal baseline legislation so that states can enact stronger safeguards,” he told the E-Commerce Times.
On the other hand, if the federal law is too strong, it could do more harm than good, maintained Trey Ford, global security strategist for Rapid 7.
“I fear that too fast a notification time line can create a level of haste in an investigation, because the investigators want to respect the law,” Ford told the E-Commerce Times.
“If you want a level of confidence that a breach has been identified, and that systems can be safely returned to the control of the company, having too fast a time line may be dangerous from that perspective,” he said. “A measured approach will make sense. Maybe some of the states are too aggressive in their time lines.”
Whatever the feds cook up, it’s bound to be less than totally suitable to everyone.
“Any time you take something off the rack, you’re going to find people who find it a little too tight or a little to loose,” Ford said.
While a national breach law may be a good thing, it’s still only treating one of the symptoms of a larger problem, contended Rob Shavell,CEO and cofounder of Abine.
“The problem is that almost every company has the ability — without any regulation at all — to collect huge amounts of data,” he told the E-Commerce Times. “The administration isn’t addressing the issue of who can collect data and why.”