Obama proposes new 30-day data breach notification law

President Barack Obama previewed a new data breach notification law today in a speech to the Federal Trade Commission, which will set a 30-day deadline for notifications.

He said that this year's data breaches, including the recent hack of Sony, make the economy more vulnerable.

"Today, I'm focusing on how we can better protect American consumers from identity theft and ensure our privacy, including for our children at school," he said.

To start with, he pointed out that almost every state has a different law on the books about how and when to notify people in the event of a data breach.

For example, according to Baker & Hostetler LLP, a national law firm with a focus on data privacy issues, notification deadlines vary from five days in Connecticut to 45 days in Ohio, Vermont, and Wisconsin.

"It's confusing for consumers and it's confusing for companies -- and it's costly, too, to have to comply to this patchwork of laws," said Obama. "Sometimes, folks don't even find out their credit card information has been stolen until they see charges on their bill, and then it's too late."

A common set of laws, even with stringent rules, would be welcomed by many in the industry, said Jim Reavis, CEO of the Cloud Security Alliance.

"We've been looking for uniformity," he said. "If we create more uniformity in the country, it will be good for the industry."

Under the proposed law, there would be a uniform 30-day breach notification deadline, with the clock starting when the breach is discovered.

"In addition, we're proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans --- even when they do it overseas," Obama said.

The president also proposed a Consumer Privacy Bill of Rights, which would ensure that consumers would have the right to decide how companies use their personal data, and the Student Digital Privacy Act, which would restrict the use of data collected about students.

The president called on business leaders and consumer privacy advocates to work together to get these laws passed.

"This mission, protecting our information and privacy in the Information Age, this should not be a partisan issue," he said. "This should be something that unites all of us as Americans."

However, several previous attempts to pass similar legislation have all failed and, even with both houses now under the control of the opposing political party, the odds are no better this time around, said John Pescatore, director of emerging trends at the SANS Institute.

For example,even if both houses approve the bill, they may water it down to such an extent that the president vetoes it, he said.

And none of the important details, such as what specifically constitutes a data breach, have been released yet, he added.

"Is it simply that the data was lost?" he asked. "Someone lost a data tape and can't find it -- does it require notification? Or does it require proof that someone saw the information? These are some of the things that are different state by state."

Not every breach is the same, said Tsion Gonen, chief strategy officer at SafeNet, Inc., which was just acquired by Amsterdam-based cybersecurity firm Gemalto.

"For example, it is possible for a company to be breached, and yet still protect the data with technologies like encryption," he said.

Security experts also had some criticism of the 30-day notification deadline.

"Thirty days is an aggressive window," said Kevin Jones, senior security architect at Washington, DC-based Thycotic Software, Ltd.

Companies have to fully understand the scope of the breach first, and fix any ongoing security issues, before they go public, he said.

"A shot clock of 30 days may cause organizations to buckle under pressure and disclose before the issue is fully addressed, which would just bring the spotlight on them for attackers," he said.

And there doesn't seem to be any incentive for companies to discover breaches earlier, said Kevin Conklin, VP of marketing and product strategy at Framingham, Mass.-based security firm Prelert Inc.

"It's an average of 200 days or more before companies learn of a breach," he said. "At that point, the damage to consumers has already been done. Forcing companies to report breaches quickly is important, but these companies need to proactively take steps to identify breaches earlier."

"A rush to disclosure can sometimes hamper research by law enforcement and other parties," added Drew Kilbourne, managing director at Dulles, VA-based Cigital. "Often breaches are not immediately disclosed in order to not tip off the attacker that they have been discovered, allowing time to study the attack to learn about new or evolved tradecraft and attack vectors and perform attribution."

The proposed law will not make anyone safer or prevent breaches, he added. Breach notifications are more about retaining customers and public perception.

"Quicker notification may be more window dressing than an effective strategy," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Federal Trade Commissionapplicationscloud security alliancesoftwaresonydata protection

More about BillFederal Trade CommissionGemaltoInc.PrelertSafeNetSANS InstituteSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts