In FTC Speech, Obama Calls For Federal Data Breach Law

President Obama proposed new legislation on Monday that would require companies to notify customers within 30 days of identifying a data breach.

Speaking at the Federal Trade Commission, Obama called for federal rules establishing a 30-day notification requirement. The Personal Data Notification & Protection Act also criminalizes illicit overseas trading or selling of stolen identity data.

"The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy," Obama said. "Right now, almost every state has a different law on this, and it's confusing for consumers and it's confusing for companies -- and it's costly, too, to have to comply to this patchwork of laws."

[Related: President Obama Criticizes Sony Pictures, Says U.S. To Respond To Attack]

Sponsored post

The president's remarks were made ahead of his State of the Union address later this month, where cybersecurity and critical infrastructure protection are expected to be a key part of the speech. Obama has spoken out recently about cybersecurity issues following the Sony breach, in which he called on organizations to stand up against criminal attacks attempting to restrict free speech.

Legislation proposing a national standard for breach notification has been proposed in the past, but none has passed Congress.

Data breaches have taken center stage among policy-makers following a year of almost an incessant number of high-profile data breaches in the retail industry and, most recently, the data breach that crippled Sony Pictures Entertainment in November. Data breaches at Target, Home Depot, Staples, Michaels Stores, Neiman Marcus and other major retailers resulted in the theft of millions of credit and debit cards. Attackers that the FBI has linked to North Korea infiltrated the corporate network of Sony Pictures, making off with email messages, unreleased movies and other confidential documents.

"When these cybercriminals start racking up charges on your card, it can destroy your credit rating. It can turn your life upside down,’ Obama said. ’It may take you months to get your finances back in order. So this is a direct threat to the economic security of American families, and we've got to stop it."

Solution providers told CRN that clients are increasingly asking questions about data protection and threat detection. The high-profile data breaches have fostered a greater awareness about cybersecurity issues, but executives at some small and midsize businesses still believe that cybercriminals only target large, well-known companies, said Matthew Lawson, professional services director and head of the security practice at Dallas-based Tech10 Networks. Lawson said he often sets up an unprotected virtual machine connected to a public gateway to show prospective clients that it only takes minutes before it gets attacked.

"Small business owners really don't understand that they are valuable targets," Lawson said. "Once they start looking at our security audit and see exactly what is in their network, it baffles them."

Nearly all states have enacted some form of data breach notification rules modeled after California, which was the first to adopt such a law. Under the California law, enacted in 2002, companies are to report a data breach to impacted customers expeditiously. It provides flexibility if law enforcement investigators determine notification would impede a criminal investigation.

Obama also released a new legislative proposal to prevent companies from selling student data and from engaging in targeted advertising to students based on data collected in school. The White House said the goal is to permit research initiatives to improve student learning outcomes and bolster online learning initiatives.

The White House has been taking steps to address cybersecurity amid a Congress that hasn't been able to pass legislation on the matter. In October, Obama issued an executive order on payment fraud, forcing federal agencies to purchase modern payment terminals that support chip-embedded credit cards designed to thwart fraud at brick-and-mortar stores. The order also requires agencies that accept online payments to protect personally identifiable information using multifactor authentication and establish ’effective identity proofing,’ to protect privacy. In November, Obama called for rules to protect net neutrality.

Retail and financial industry groups have, so far, come out in support of the president’s cybersecurity proposals today. The National Retail Federation said it has long supported a data breach notification standard and law.

"The retail industry has been actively engaged in working with a number of stakeholders on solutions to a problem that is not unique to a single industry and continues to grow in size, scope and cost. We applaud the president and his administration in their continued efforts to push and enact cyber and data security policies that protect consumers while providing much-needed focus on concrete steps that can be taken now in order to protect consumers and businesses alike from cybercriminals."

The American Bankers Association said it supports legislation that would facilitate increased information sharing between the public and private sectors while protecting consumer privacy.

"We look forward to working with the White House, members of Congress on both sides of the aisle, regulators and the private sector to find common ground and better protect consumers and our critical infrastructures from cyber threats, data breaches and fraud," the ABA said in a statement.