In the wake of a barrage of data thefts affecting tens of millions of U.S. citizens, President Barack Obama on Monday proposed national legislation to regulate breach notification.
Other legislation proposed by Obama would ban companies from selling student data to other organizations for non-educational uses and from using information derived from schools to target students for advertising.
The White House also said it will release within 45 days a revised proposal for legislation calling for a so-called consumer-privacy bill of rights. The Federal Trade Commission has supported similar legislation in recent years.
The flurry of proposed rules follows a year in which consumers and companies alike were rocked by a seemingly endless string of online data thefts, including breaches at major retailers and financial institutions involving credit and debit card data.
Some 64.4 million credit and debit cards were compromised in breaches in 2014, up 38% from 2013, according to preliminary figures from the Identity Theft Resource Center. The Home Depot Inc. breach, which the chain confirmed in September, alone accounted for 56 million of those cards.
The Personal Data Notification & Protection Act would require that breached companies notify affected consumers within 30 days of the discovery of the intrusion. It also offers companies the “certainty of a single, national standard,” according to a White House fact sheet. Card issuers, acquirers, and merchants—which have long been whipsawed by a patchwork of differing breach-disclosure laws from 48 states—are expected to welcome the proposal.
Still, the proposal is likely to run into complications, according to experts. “The national breach notification law is long overdue,” says Robert Cattanach, a partner at Dorsey & Whitney LLP, an international law firm based in Minneapolis, in a statement. “This initiative may not receive the support it once could have from the business community, and is likely to get stalled in the inevitable disagreement over how it would be enforced … and whether it will pre-empt more aggressive state laws–the last issue may be a deal-killer either way.”
Industry reaction to Obama’s proposals was generally positive. “Banks invest hundreds of millions of dollars every year to put in place multiple layers of security to protect sensitive data…We look forward to working with the White House, members of Congress on both sides of the aisle, regulators, and the private sector to find common ground and better protect consumers and our critical infrastructures from cyber threats, data breaches, and fraud,” said Frank Keating, president and chief executive of the American Bankers Association, in a statement.
“From mandating credit cards for federal government employees that require both a PIN and chip to advocating for a uniform federal data-breach notification law, the President is moving the conversation and taking affirmative steps that will help retailers and their customers battle cyber fraud and abuse,” said David French, senior vice president for government relations at the National Retail Federation, in a statement.
In October, Obama signed an executive order committing the federal government to offer and accept Europay-MasterCard-Visa (EMV) chip cards with PINs as part of the government’s “Buy Secure” initiative.
Beyond Monday’s proposals, which Obama outlined in an announcement at the FTC offices, the president is also expected to discuss data security during his upcoming State of the Union address.