President Obama Proposes National Data Breach Law, Unveils New Consumer and Student Privacy Initiatives

On January 12 President Obama visited the Federal Trade Commission (“FTC”) where he unveiled several new data security and privacy initiatives, including proposed legislation to create a national data breach notification law and strengthen student privacy. According to the White House, President Obama’s visit to the FTC was the beginning of a broader effort to focus on cybersecurity and privacy issues in the lead up to his State of the Union address next week.

During his visit to the FTC, the President acknowledged the tremendous and ever-increasing importance of cybersecurity and privacy, for while the interconnected age allows individuals to conduct more business online than ever before, cyber-attacks and data exfiltration are chronic, and exact significant financial tolls on companies and consumers alike.

A National Data Breach Notification Standard

In his remarks, President Obama announced his administration’s plans to introduce the Personal Data Notification & Protection Act to Congress, which would create a single, national data breach notification standard and require companies to notify consumers within 30 days of a breach. In highlighting the need for a comprehensive, national breach notification structure, President Obama called the current system of 47 separate state and territorial data breach notification requirements a “patchwork” that is both costly and confusing for consumers and businesses. If passed, the Personal Data Notification & Protection Act would be the first federal data breach notification law applicable to the private sector (Congress passed a data breach notification requirement for federal agencies as part of the National Cybersecurity Protection Act of 2014 last December).

Consumer Privacy

President Obama also declared his intention to present to Congress a Consumer Privacy Bill of Rights, which would establish restrictions on how consumers’ information could be collected and used, and would prevent companies from using consumer information beyond the scope of consent. Relatedly, the White House announced that the U.S. Department of Commerce had completed its public consultation on revised draft legislation language and that the Administration would submit a draft to Congress by the end of February.

The President further touted the Administration’s non-legislative efforts to protect consumer privacy. In the energy sector, for instance, the Department of Energy and the Federal Smart Grid Task Force released a Voluntary Code of Conduct to allow utilities and third parties to guard customer data while increasing the ability of consumers to control the use and maintenance of their information.

Student Privacy

In turning an eye to children’s privacy, the President unveiled the Student Digital Privacy Act, a bill designed to protect student privacy by preventing companies from engaging in targeted advertising to students based on data collected at school, and prohibiting the selling of student data to third parties for purposes unrelated to its educational mission. Despite these restrictions, the Student Digital Privacy Act would permit research and efforts by companies to improve their products and students’ learning outcomes.

Is 2015 Going to be the Year of Aggressive Privacy and Security Action in Washington?

Given the FTC’s aggressive history of enforcement in the data security space, President Obama’s decision to announce his administration’s latest privacy and data security efforts on the Commission’s home turf was fitting. Yet while President Obama offered an ambitious data security and privacy legislative agenda, the language for many of the proposed pieces of legislation has yet to be publicly released. However, President Obama’s willingness to put data security and privacy front-and-center in may demonstrate that 2015 will be a year of renewed effort by his Administration to address cybersecurity and consumer privacy issues.

The President’s appeal for congressional action in the cybersecurity arena comes just as the 114^th Congress is getting underway, yet members of Congress are already heeding the call by introducing their own legislation. Most significantly, Congressman C.A. Dutch Ruppersberger (D-Md.), the former ranking member of the House Intelligence Committee, has reintroduced the Cyber Information Sharing and Protection Act (CISPA) (H.R. 234). At its core, CISPA is designed to allow government agencies and private sector entities to better share Internet traffic information in order to guard against cyber-attacks and investigate cyber threats. CISPA had passed the House of Representatives during the 112^th and 113rd Congresses but failed to secure passage in the Senate amid opposition from privacy and civil liberties groups as well as the White House.

With the flurry of proposed legislation coming from the President and members of Congress, cybersecurity and privacy watchers should pay close attention to the legislative action on Capitol Hill in 2015 as these and other bills take shape. At the very least, President Obama’s proposed legislation and the reintroduction of CISPA show that cybersecurity will be at the forefront of the federal government’s attention for the year to come.