As part of a the runup to his State of the Union speech on Jan. 20, President Obama proposed legislation today requiring companies hit by a data breach to inform affected customers within 30 days of discovering exposure of the data.
A national breach notification law has been the subject of a fierce battle on the Hill for years to no avail, but the specter of Sony's massive and very public breach, as well as the Year of the Retailer Breach in 2014, provided a high-profile backdrop for the president's announcement. Obama's proposed Personal Data Notification and Protection Act aims to unify the differing and often confusing mix of notification laws across 48 states.
"We're introducing new legislation to create a… strong national standard so Americans know when their information has been stolen," Obama said at a Federal Trade Commission (FTC) event today in Washington. "Under the new standard we’re proposing, companies would have to notify consumers of a breach within 30 days."
The proposed 30-day policy drew mostly praise from security experts. But policy watchers say the chances of Congress ultimately passing a mandatory disclosure law appear slim, even with the Sony breach and other high-profile incidents in the past year as prime ammunition for action.
"Mandatory notification will not pass Congress automatically or quickly," says Kristen Verderame, CEO of Pondera International, a boutique consultancy that works with startups and specializes in cyber security policy. "My experience is that the same opponents will push against any legislation on this topic, as they have in the past -- despite Sony -- and corporations will continue to use the same cost/benefit analysis to determine whether and when to make the existence of a breach public."
The new Republican-majority Congress will make any mandatory rules for businesses even more difficult to pass, Verderame says. But "harmonizing" breach notification requirements could be achieved by the administration and Congress. "The exception to this may be simply harmonizing data breach notification requirements across the country so that there is one rule for companies to follow, instead of 50. The business community supports, as do I, harmonization wherever it aids compliance."
Breach notification is a delicate dance for businesses, and if there's a relatively tight deadline imposed, it's risky for them image-wise and shareholder-wise, for instance. "Having served as an exec at a Fortune 100 company, I agree with many corporates' views that, if companies are forced to announce breaches to the public on a certain timeline that may not accommodate necessary risk and preparatory analysis, more risk of harm to the company may be caused."
Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says.
"I am hopeful that we're finally at the stage where we can move some of these pieces through Congress and the administration… because we've seen a natural maturation process, with a number of different bills going through Congress," Clinton says. "We might be at the right maturation point."
Battling ID theft
Obama's proposed legislation also would criminalize "illicit overseas trade in identities," according to the White House.
In addition, the president set out related proposals for identity theft protection, announcing that JPMorgan Chase and Bank of America had teamed up with Fair Isaac Corp. (FICO) to make credit scores free to their consumer card customers. USAA and State Employees' Credit Union will do the same, and Ally Financial will make this information available to its auto loan customers, according to the White House.
"Through this effort over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers, or lenders," the White House said.
"The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy," Obama said at the FTC event.
Ken Levine, CEO of Digital Guardian, says the devil's in the details. "Breach notification is a good idea, depending on the definition of a breach. From a public perspective, there's always that fine line between so many breach notifications desensitizing people to the problem, or overly panicking."
[When an attacker wants nothing more than to bring ruin upon your business, you can't treat that attacker like just any criminal. Just ask Sony. Read How NOT To Be The Next Sony: Defending Against Destructive Attacks.]
Today's announcements kicked off a week of pre-State of the Union cyber security and privacy initiatives. The other initiatives being announced by the administration this week include a proposed Student Digital Privacy Act, which would ensure any data collected in education environments isn't sold to third parties for targeted advertising or other non-educational purposes; new Department of Education services to protect students' privacy, including teacher training to help protect student data; a Voluntary Code of Conduct by which utilities and related third parties would pledge to protect customers' electricity data; and Customer Privacy Bill of Rights legislation, which would ensure online consumer data collection is not abused.
And that's not all: When he visits the National Cybersecurity and Communications Integration Center tomorrow, Obama is expected to talk about beefing up cyber security information sharing between the government and private industry. The long-debated and still-stalled Cyber Intelligence Sharing and Protection Act (CISPA) will likely be front and center of that discussion. That bill aims to provide liability protection for companies that share attack intelligence, but privacy advocates aren't convinced that it would truly provide confidentiality and instead wouldn't lead to privacy-invading government monitoring.
CISPA isn't a cure-all for preventing breaches, either. "What concerns me about CISPA is that it will tempt organizations to focus on indicators of compromise and not a solid security program," says Ron Gula, CEO and CTO at Tenable Network Security. "If the government gives out a list of bad actors, organizations may feel they are doing enough -- and have invested enough -- if they don't have any evidence of those bad actors on their network." The bill wouldn't have prevented Sony's massive attack, despite pressure in Congress to pass CISPA in the wake of that breach.