President Obama on Monday announced a laundry list of proposals to improve the data privacy of US consumers.
One of his announcements was a proposal to create a federal law to replace what he called a “patchwork” of state laws addressing data breach disclosures.
During his speech at the Federal Trade Commission (FTC), he introduced the new law, which would compel companies to be forthcoming with details of breaches such as those suffered by the likes of Sony, Target and Home Depot.
The Washington Post quotes him:
We're introducing new legislation to create a single strong national standard so Americans know when their information has been stolen or misused. Right now almost every state has a different law on this and it's confusing for consumers and it's confusing for companies - and it's costly too, to have to comply with this patchwork of laws.
He’s certainly right about the US having a patchwork of disclosure laws. As of September, 47 states had such laws, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands, according to the National Conference of State Legislatures.
Congress hasn’t yet seen details of the proposed Personal Data Notification and Protection Act, which would obligate companies to notify customers within 30 days of discovering a breach that exposed their personal information.
But a federal standard could actually be weaker than notification windows passed by some states recently. For example, in California and Connecticut, companies need to get notifications out within a lightning-fast five days of any breaches that involve health care and insurance data.
Here’s a summary of state data breach laws, and here’s a full list.
Marc Rotenberg, the president of the Electronic Privacy Information Center (EPIC), likes the fast turnaround a lot better than the president’s 30-day disclosure timeline:
The problem is that the effect will likely be to pre-empt the stronger state laws. We want a federal baseline, and leave the states with the freedom to establish stronger standards.
The President also announced the Student Digital Privacy Act: proposed legislation designed to protect student data from being used for non-educational purposes.
The bill is modeled on a California statute passed in September to protect students’ personal data.
There’s a lot at stake: think student records that cover attendance, grades, discipline, health, academics, intimate details about family members, parent and student contact information, biometrics, and sometimes even a child’s geolocation.
It’s yet another hot-button issue that’s covered by yet another patchwork of state laws.
As of September 2014, the National Conference of State Legislatures had tracked legislature introduced in 36 states in the preceding year, all focused on getting a better grip on the rampant data collection in the educational software market, which was estimated at $7.9 billion in 2013.
The proposed federal bill would prevent companies from selling student data to third parties for non-education purposes or from target-advertising to students based on data mined from them when they’re in school.
The two bills are just part of the President’s data privacy/cybersecurity talking points, which also included a voluntary code of conduct for utilities and third parties to protect smart grid customer data privacy and a consumer privacy bill of rights that should be out in a revised form within 45 days.
This week will be full of even more privacy and cybersecurity talk, as the president gears up for his State of the Union address on 20 January.
Image of Barack Obama courtesy of Mykhaylo Palinchak / Shutterstock.com.
Gavin
Has Edward Snowden been forgotten so quickly? How can the US government talk earnestly about individuals’ privacy in any sense?
Yes, there needs to be some coherence in merchant breach disclosures and in how student data is shared. These are two areas in need of definite reform.
But I am so unimpressed when conversations like this can occur while there has been no meaningful reform by the Federal Government itself on how it accesses, stores and reserves the right to search anyone’s information it chooses.
The world has gone mad.
Deramin
The world always was mad. Democracies by their nature are an ecosystem of competing goals, philosophies, and ideas haphazardly getting pass into and removed from law. In many ways this just gets amplified in a representative republic like the US.
It does smack a of hypocrisy for the government to demand greater consumer privacy protections from the commercial and educations sectors while they let their own officers run roughshod over those privacies.
But sometimes you have to take what you can get. It’s a step in the right direction, even if it doesn’t go far enough. And if this change starts to rekindle citizen’s interest in their privacy it will help drive them to demand more of their government eventually.
Datastyle
It sounds to me like some kind of cynical strategy to deflect suspicion that the security services have seen the latest terror attack as a golden opportunity to erode our rights. Strange how it kind of coincides with Nick Clegg’s statement that he opposes more powers of wanton snoopery for MI5
WesD
Hook, line and sinker. Now the NSA won’t have to strong arm the majority of companies into handing their data over through secret courts, it will be given freely.