President pivots to cyberspace
The White House has begun rolling out a series of cyber-related legislative proposals targeting both consumer and national security issues.
One week shy of his seventh State of the Union address, President Barack Obama is laying out a series of legislative proposals and executive actions dealing with identity theft, privacy issues, cybersecurity and access to the Internet that will be included in the Jan. 20 speech.
The focus Jan. 12 was on consumer issues. Over the next few days Obama will be discussing cybersecurity, in the wake of an apparent attack on U.S. Central Command by hackers claiming alliance with the Islamic State.
"If were going to be connected we need to be protected," he said in remarks at the Federal Trade Commission in Washington, D.C., on Jan. 12. "As Americans, we shouldn't have to forfeit our basic privacy when we go online to do our business."
One proposal would create a 30-day notification requirement for companies to inform consumers about breaches, creating a federal standard that would supersede state laws.
"There's a hodge-podge of requirements that vary by state," White House Press Secretary Josh Earnest said in a Jan. 12 press conference. "By putting in place a tough national standard, it will give some clarity to businesses."
But Mark McCarthy, vice president of public policy at the Software and Information Industry Association, is not convinced such a law would help actually protect consumers.
"We all agree that it's essential to protect consumer data privacy, but new federal regulations won't make consumers any safer," McCarthy said in a statement. "The fact is, the FTC has proven time and again that it has full authority to bring actions against companies that provide misleading privacy notices or fail to protect personal information. New consumer privacy legislation should be considered only if there are actual and substantial harms that are not addressed by current law."
The proposal would also make the metrics for reporting breaches equal between the private sector and government. The Federal Information Security Modernization Act, signed into law last month, requires federal agencies to report breaches in a 30-day window.
The White House also is calling on Congress to consider is a revised "consumer privacy bill of rights."
"We believe that consumers have the right to decide what personal data companies collect from them and how companies use that data, that information; the right to know that your personal information collected for one purpose can't then be misused by a company for a different purpose; the right to have your information stored securely by companies that are accountable for its use," Obama said.
This is the White House's second attempt to codify consumer privacy rights. A 2012 version made no progress in Congress.
Maria Horton, CEO and Founder of EmeSec, a cloud security and engineering company, said such efforts don't do enough to address the internal activities that lead to data breaches.
"Breaches are really after the fact and do not necessarily address the preemptive or proactive protections of security and privacy practices," Horton said. "In some instances, where a private company is targeted, the breach reporting/penalty could be similar to blaming the victim, with the company targeted by a much larger nation state or competitor."
A third proposal, meanwhile, addresses student digital privacy, which is aimed at stopping companies from using targeted advertising based on information collected from students.
"We're saying that data collected on students in the classroom should only be used for educational purposes -- to teach our children, not to market to our children," Obama said. "We want to prevent companies from selling student data to third parties for purposes other than education."
On Jan. 13 Obama is scheduled to visit the National Cybersecurity and Communications Integration Center, where he is expected to encourage more information sharing and collaboration between government and the private sector.
On Jan. 15 in Norfolk, Va., Vice President Joe Biden will announce new funding to help train the cybersecurity workforce.