On Tuesday, President Obama delivered his State of the Union address (“SOTU”), which included proposals regarding privacy and data security. This isn’t the first time that we’ve heard promises about these topics in the SOTU. But, as 2014 has been referred to as “the year of the data breach,” the stars may align to finally result in the passage of cyber security legislation, and perhaps also comprehensive privacy legislation. Below are some of President Obama’s comments regarding privacy and data security, along with our analysis.
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.
There’s an awful lot in this paragraph addressing both cyber security and privacy issues. Here’s our breakdown:
Cyber Security: Data breach notification, public-private intelligence sharing and cyber education grants
President Obama’s SOTU address, along with his speeches last week before the Federal Trade Commission (“FTC”) and Department of Homeland Security (“DHS”), reference the President’s very ambitious cyber agenda. On the President’s to-do list are enacting a federal data protection and breach notification law, facilitating sharing of cyber information between the government and private sectors, and creating cyber education grants.
The problem of data breaches costs our country billions of dollars, and recent breaches have compromised the data of 100 million Americans. Currently 48 states have data breach notification laws, which can be confusing for consumers and costly for companies to comply with. In his January 12, 2015 speech at the FTC, President Obama pushed for a cohesive federal law that provides a “single, strong national standard.” According to the administration’s legislative proposal, companies would be required to notify consumers within 30 days of a breach, and loopholes in existing law would be closed so that cyber criminals could be pursued overseas.
Some progress has already been made towards enacting a federal data breach law. Following the President’s speech at the FTC, Senator Bill Nelson introduced a data security bill on January 13, 2015 that would require companies to establish reasonable security policies and procedures and provide nationwide notice in the event of a data breach. In the GOP’s official response to the SOTU, Senator Ernst promised the party would work to “advance solutions to prevent the kind of cyber attacks we’ve seen recently.” The House Subcommittee of Commerce, Manufacturing, and Trade has scheduled a hearing for January 27, 2015 entitled “What are the Elements of Sound Data Breach Legislation?” Representatives Marsha Blackburn and Peter Welch are also working on a data security bill that would create federal data breach notification standards, increase information sharing related to cybersecurity, and require companies to inform consumers about how they collect and use data.
The day after the President spoke at the FTC, he addressed the Department of Homeland Security to discuss his proposed updates to legislation related to cybersecurity information sharing and enforcement of cybercrimes. The proposed cybersecurity authority and information sharing legislation would build upon existing legislation and codify mechanisms to enable cybersecurity information sharing. The bill calls for real-time sharing of cyber threat indicators and the formation of private information sharing and analysis organizations. Under the proposed law, companies that share information would be protected from liability. President Obama also proposed updates to the Computer Fraud and Abuse Act, which would strengthen and clarify law enforcement’s ability to investigate and prosecute cybercrimes. To continue progress in this arena, the President is planning a White House summit that will convene next month and bring together industry, tech companies, law enforcement, consumer and privacy advocates, and law professors to discuss issues related to cybersecurity and consumer protection.
Lastly, the Department of Energy will be providing a $25 million grant over five years to improve cybersecurity education. These grants will be distributed to 13 historically black colleges and universities, 2 DOE labs, and the Charleston, South Carolina school district.
Privacy: A Privacy Bill of Rights (Fair Information Practice Principles) and an Education Privacy Bill
President Obama has also prioritized protecting consumer privacy. During his speech before the FTC, he proposed the adoption of a Consumer Privacy Bill of Rights with basic principles to protect personal privacy. These principles include informing consumers how their data will be used and holding companies accountable for securely storing personal information. President Obama promised the legislation would be introduced by the end of next month.
Additionally, the President proposed the “Student Digital Privacy Act”, which would prevent data collected from students in the classroom from being sold to third parties for purposes other than education. One of his goals with this legislation is to prevent any student profiling that would put certain students at a disadvantage as they advance through school.
As Americans, we cherish our civil liberties — and we need to uphold that commitment if we want maximum cooperation from other countries and industry in our fight against terrorist networks. So while some have moved on from the debates over our surveillance programs, I haven’t. As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse. And next month, we’ll issue a report on how we’re keeping our promise to keep our country safe while strengthening privacy.
Intelligence: Progress Report on NSA Surveillance Programs
In January 2014, President Obama announced a presidential policy directive to limit, refine, and safeguard the collection of signals intelligence for national security purposes. On January 15, 2015, the National Journal reported that the administration plans to release more information about how surveillance programs have been changed over the last year by the end of this month. The announcement will detail how the NSA’s bulk collection of domestic phone records has changed. The President confirmed in the SOTU that the report is forthcoming.
Photo by Phil Roeder from Flickr