President Obama on Monday unveiled a series of new bills designed to ratchet up cybersecurity protections in the wake of a massive data breach at Sony Pictures, warning the growing problem of online attacks “costs us billions of dollars.”
“This is a direct threat to the economic security of American families, and we’ve got to stop it,” Obama said Monday during a speech at the Federal Trade Commission. “If were going to be connected, we’ve got to be protected.”
Obama unveiled the Personal Data Notification and Protection Act, a bill that would require all corporations to notify consumers within a month if their personal information had been exposed in a data breach. The bill would criminalize the overseas trade of identify information and would attempt to standardize the individual state privacy laws that currently govern data beach notifications.
“It’s confusing for consumers and it’s consuming for companies, and it’s costly too to have to comply with this patchwork of laws,” Obama said.
The president also said the administration would soon release the legislative language for its Consumer Privacy Bill of Rights, a bill that would create “some basic, baseline” protections to govern the collection of data, and that he hoped Congress would undertake debate on the proposed bill.
“The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy,” Obama said.
The president also proposed a Student Digital Privacy Act, which would prohibit companies from selling data collected on school technology. The legislation, modeled on a similar law in California, would keep firms from using personal data collected from the computers, tablets and software that are increasingly prevalent in the classroom.
“We want our kids privacy protected — no matter where they sign on,” Obama said.
That proposal was accompanied by an announcement that the administration has secured pledges from 75 companies, including Apple and Microsoft, to provide parents and teachers with protections against the misuse of their data.
Obama said JPMorganChase, USAA and the State Employees’ Credit Union are joining a group of financial firms that have already agreed to make credit scores available to consumers.
Privacy advocated largely applauded the president’s efforts, although said they were eager to hear the specific details of the legislative proposals.
“The president’s announcement on the imminent release of a bill to implement the Consumer Privacy Bill of Rights is welcome news, but the devil is very much in the details,” said Alvaro Bedoya, the executive director of Georgetown’s Center on Privacy & Technology. Bedoya said he wanted to know if the president’s proposed legislation would put limits on companies’ use of private health and biometric data, especially with the explosion of wearable technology and fitness applications.
Nuala O’Connor, the president of the Center for Democracy and Technology, said the legislation would “help build consumer trust, promote technological innovation, and create a digital framework that respects the right to privacy in our daily lives.”
And the Future of Privacy Forum, which helped develop the pledge signed by software companies limiting their use of student data, credited the White House as “instrumental” in bringing aboard the dozens of signees.
“In a gridlocked Congress where federal legislation faces challenges, the pledge creates an immediate and enforceable legal code for companies that sign on,” said FPF Executive Director Jules Polonetsky.
But Paul Bond, a member of the board of the Identity Theft Resource Center, said similar proposals had fizzled in the past. In 2011, the administration proposed legislation that would have provided a 60-day notification trigger rather than a 30-day one.
“Businesses should have just one standard to follow,” Bond said. “But the logic of such preemption has been impeccable for almost a decade, and we have yet to see the follow-through.”
The announcements Monday were part of a weeklong focus on cybersecurity by the president.
On Tuesday, Obama is expected to discuss the legislative proposals with a bipartisan, bicameral group of congressional leaders meeting at the White House. Later that day, Obama will head to the National Cybersecurity and Communications Integration Center, where he’s expected to discuss efforts to increase cybersecurity information sharing between private sector firms and the government.
That’s especially important because many firms have been reticent to share their ideas and best practices for cybersecurity with their competitors. The White House hopes that it can use government to facilitate a better exchange of methods to combat cyber security.
Congress has for years been debating the Cyber Intelligence Sharing and Protection Act (CISPA) legislation, which would provide businesses liability protection that would facilitate the sharing of cybersecurity information between the government and private sector companies. The companies that participate would receive liability protections.
But the bill has repeatedly stalled in the Senate, and the White House has previously expressed concerns that it lacks the appropriate confidentiality and civil liberties safeguards. Internet privacy groups have warned the bill could allow government monitoring of individuals’ browsing information. It’s not clear if the president will offer alternative legislation to CISPA on Tuesday.
Sen. John Thune (R-S.D.), the chairman of the Senate Commerce, Science, and Transportation Committee, issued a statement welcoming the president “back to the discussion on cybersecurity” while noting that the Senate had not brought CISPA up for a vote last year.
“President Obama’s engaged support for similar legislation this Congress would help address cyber threats, improve privacy protections, and would also begin to address concerns over the president’s go-it-alone approach of unilateral executive actions on cyber and other issues,” Thune said.
On Wednesday, the president plans to travel to Cedar Falls, Iowa to detail new steps to increase access to high-speed Internet. Cedar Falls provides fiber internet access to local homes and businesses that can work at speeds of up to 1 gigabit per second, and the state’s governor recently unveiled new plans to expand mobile broadband access in rural farm areas.
The next day, Vice President Biden will visit to Norfolk, Va., to announce new funding to help train those interested in the cybersecurity field.
— This story was first posted at 7:50 a.m. and has been updated.