White House Backs Raft of New Cyber Security Laws

President Barack Obama spoke at the FTC on Monday, proposing new laws to create a federal data leak law and new regulations that protect American consumers from identity theft.
President Barack Obama spoke at the FTC on Monday, proposing new laws to create a federal data leak law and new regulations that protect American consumers from identity theft.

President Obama used a speech at the Federal Trade Commission on Monday to call for a raft of new laws and reforms that would protect the privacy and online security of U.S. citizens and corporations.

Speaking at the FTC, President Obama highlighted a number of policies that he will propose in his State of the Union address to Congress. They include new laws aimed at endemic problems like identity theft and online tracking of consumer behavior.

The visit was notable for being the first time a sitting President has visited the FTC in 80 years, since 1937 and the administration of Franklin D. Roosevelt. Obama, who has been highlighting issues and ideas he will unveil in his State of the Union Address, said the address is one of a series of talks he will give this week focused on computer and online privacy. The President said he will follow his speech aimed at consumers at the FTC with an address on the subject of private-public partnerships on preventing cyber attacks at the Department of Homeland Security.

“So much of the prosperity we seek…depends on our digital economy,” Obama told an audience at the FTC. “As we’ve all been reminded of  in the past year, including the hack of Sony, this enormous interconnection creates enormous opportunities but also creates enormous vulnerabilities for us as a nation, for our economy and for individual families,” he said.

The Personal Data Notification & Protection Act is another swing at a long postponed Federal data breach notification law. The Act would clarify and strengthen laws that obligate businesses to notify customers when their personal information has been exposed. Among the changes would be a uniform, federal 30-day notification requirement from the discovery of a breach. The illicit trade of stolen identifies would also be criminalized.

Also proposed: The Student Digital Privacy Act, which is designed to protect the data collected in the educational context from uses other than educational purposes. Companies that collect data from students would be prohibited from selling it to third parties for purposes unrelated to the educational mission. Students would also be shielded from targeted advertising informed by data collected in school.

Finally, the President proposed a Consumer Privacy Bill of Rights that would articulate federal guidelines covering the “context in which data is collected and ensure that users’ expectations are not abused.” According to a statement from the White House, the Commerce Department has completed public review of revised draft legislation enacting the Bill of Rights. The Administration plans to release a legislative proposal that incorporates public feedback within 45 days.

The announcement was the latest in a string of policy moves by the Administration – all of them Executive actions that do not require an Act of Congress.

In October, the President gave a boost to efforts to introduce more secure credit card technology in the U.S., issuing an Executive Order requiring that so-called “Chip and PIN” technology be used on any new or existing government debit and credit cards.

In recent weeks, the Obama Administration also took steps to penalize the government of North Korea for its alleged involvement in an attack on Sony Pictures Entertainment.

The President said that an increase in online threats and crime, like identity theft, have left Americans feeling as if they have lost control of their personal information — a development that could stifle innovation and economic productivity if not addressed.

In addition to the proposed legislation, the White House announced steps by private sector firms to support its agenda. JPMorganChase, Bank of America, USAA and State Employees’ Credit Union all announced that they would offer free credit reports to their customers.

Also, 75 companies that sell products and services in the education space signed a pledge created by the Future of Privacy Forum and the Software & Information Industry Association. That pledge commits them to provide parents, teachers, and students with what are described as “important protections against misuse of their data.”

Read more via the White House web site with: FACT SHEET: Safeguarding American Consumers & Families | The White House.

4 Comments

  1. It’s curious that banks like JPMorganChase and Bank of America are so eager to cooperate with the Administration’s plans. Chase currently fails Qualys’ SSL test (ranking: F) because it yet has to patch the POODLE TLS vulnerability – more than a month after a patch was released.
    Bank of America did eventually patch their systems, but it took them a long time. In contrast, many financial institutions managed to patch their systems within days of the release of the patch.

    The Administration’s efforts seem to be limited to disclosure after the fact and criminalizing selling data obtained through a breach. It would make more sense to address prevention, especially since even the Payment Card Industry (PCI) deems a one-month time period for patching critical vulnerabilities acceptable.

    • Interesting on Chase and Poodle issue – that’s worth noting/checking into. As for the free credit report stuff – meh. This is mostly PR for them – doing the “right thing” by consumers. Of course, as you say, they should also be keeping their servers patched to prevent breaches. But it would be hard for them to say “we patched Poodle or Heartbleed, everybody thank us!”

      Thanks for writing!
      Paul

    • I would really like to see a pin associated with our SSN’s. Right now social security numbers act both as a national identifier and an unchangable password to our finances. A 4 to 6 digit changable pin number would do wonders.

      @Fido It seems lately most companies cannot prevent really motivated hacking teams from getting what they want. While prevention would be the solution in an ideal world… I agree that more law enforcement is needed. The government should be working to ensure those engaging in the offending behavior are brought to justice. These people who write the crime toolkits are clearly very intelligent but they have choosen a life of crime due to the ability to make lots of money and a low chance of being punished.

  2. Pingback: Trial Balloon: Will Obama's Cyber Proposals Sink or Fly? | The Security Ledger