President Obama on Monday announced a laundry list of proposals to improve the data privacy of US consumers.
One of his announcements was a proposal to create a federal law to replace what he called a “patchwork” of state laws addressing data breach disclosures.
During his speech at the Federal Trade Commission (FTC), he introduced the new law, which would compel companies to be forthcoming with details of breaches such as those suffered by the likes of Sony, Target and Home Depot.
The Washington Post quotes him:
We're introducing new legislation to create a single strong national standard so Americans know when their information has been stolen or misused. Right now almost every state has a different law on this and it's confusing for consumers and it's confusing for companies - and it's costly too, to have to comply with this patchwork of laws.
He’s certainly right about the US having a patchwork of disclosure laws. As of September, 47 states had such laws, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands, according to the National Conference of State Legislatures.
Congress hasn’t yet seen details of the proposed Personal Data Notification and Protection Act, which would obligate companies to notify customers within 30 days of discovering a breach that exposed their personal information.
But a federal standard could actually be weaker than notification windows passed by some states recently. For example, in California and Connecticut, companies need to get notifications out within a lightning-fast five days of any breaches that involve health care and insurance data.
Marc Rotenberg, the president of the Electronic Privacy Information Center (EPIC), likes the fast turnaround a lot better than the president’s 30-day disclosure timeline:
The problem is that the effect will likely be to pre-empt the stronger state laws. We want a federal baseline, and leave the states with the freedom to establish stronger standards.
The President also announced the Student Digital Privacy Act: proposed legislation designed to protect student data from being used for non-educational purposes.
The bill is modeled on a California statute passed in September to protect students’ personal data.
There’s a lot at stake: think student records that cover attendance, grades, discipline, health, academics, intimate details about family members, parent and student contact information, biometrics, and sometimes even a child’s geolocation.
It’s yet another hot-button issue that’s covered by yet another patchwork of state laws.
As of September 2014, the National Conference of State Legislatures had tracked legislature introduced in 36 states in the preceding year, all focused on getting a better grip on the rampant data collection in the educational software market, which was estimated at $7.9 billion in 2013.
The proposed federal bill would prevent companies from selling student data to third parties for non-education purposes or from target-advertising to students based on data mined from them when they’re in school.
The two bills are just part of the President’s data privacy/cybersecurity talking points, which also included a voluntary code of conduct for utilities and third parties to protect smart grid customer data privacy and a consumer privacy bill of rights that should be out in a revised form within 45 days.
This week will be full of even more privacy and cybersecurity talk, as the president gears up for his State of the Union address on 20 January.