President Obama Mentions Privacy and Cyber Security as a Prelude to the State of the Union

Published On January 14, 2015 | By Katherine Robison | FTC & State AG, Privacy

President Obama once again turned his attention towards online privacy and security issues. During his January 12th speech at the Federal Trade Commission (FTC), he announced new proposed legislation aimed at protecting American consumers from identity theft and ensuring privacy, including for children. Interestingly, Obama’s speech marked the first time that an American President visited the FTC since FDR dedicated the FTC building in 1937.

This was the first of three appearances Obama made this week to preview his privacy and security agenda prior to the upcoming State of the Union address, scheduled for next Tuesday, January 20th. Following his speech at the Department of Homeland Security (DHS) regarding cyber-security on January 13th, he discussed affordable broadband access on January 14th in Iowa. These proposals follow on the heels of the “Buy Secure” Initiative launched by Executive Order last October, under which companies are moving to stronger chip-and-pin technology for credit cards.

At the FTC, Obama previewed three pieces of proposed privacy legislation:

Personal Data Notification & Protection Act: Creates a national standard for data breach notification, requiring companies to notify consumers within 30 days after a breach is discovered. Currently, 49 separate state laws set differing requirements for breach notification. This proposed law may also include language that would, according to Obama, “close loopholes” and allow for easier prosecution of criminals who commit identity theft, even overseas.

Obama took this opportunity to commend the financial companies who have committed to providing consumers with free access to their credit scores – such as JPMorgan Chase, Bank of America, USAA, Ally Financial, and State Employee’s Credit Union – which serves as an “early warning system” of fraud for consumers.

Consumer Privacy Bill of Rights: Sets out basic principles of consumer privacy that would apply across industries. The stated goal is to protect consumers’ personal privacy while ensuring that the industry can continue to innovate. Obama mentioned three of the basic principles that will be included in the bill of rights: consumers should be given the right to decide what personal data companies are allowed to collect and how the company can use it; information collected for one purpose should not be misused for another purpose; and information should be stored securely by the company accountable for its use. This bill is set to be introduced at the end of February . The White House first floated a Consumer Privacy Bill of Rights in 2012, but, to date, it had not gained any traction in Congress.

Student Digital Privacy Act: Prohibits companies from selling student data to third parties for commercial purposes, such as targeted advertising. Instead, data collected from students in the classroom can only be used for educational purposes. Obama seems to recognize the value of technology in education: “the good news is we’ve got new educational technologies that are transforming how our children learn.” In fact, this bill is related to the ConnectED initiative, which seeks to connect 99% of American students to high-speed Internet by 2018.

Obama also took this opportunity to commend the 75 companies across the country that have already signed the Student Privacy Pledge, which includes a commitment not to sell student information or use educational technologies to engage in targeted advertising to students.

At the DHS, Obama previewed proposed legislation aimed at increasing cybersecurity:

Obama’s tour continued the next day with a visit to the DHS 24-hour cyber watch center, known as the National Cybersecurity and Communications Integration Center (NCCIC), where he discussed proposed legislation in the cybersecurity area:

Cybersecurity Information Sharing: Promotes better cybersecurity information sharing between the private sector and government, and enhances collaboration and information sharing within the private sector. Specifically, the proposal encourages private sector actors to share threat information with the DHS’s NCCIC by providing those entities targeted protection for liability that may arise from that sharing. To qualify for liability protection, private sector actors will need to comply with certain privacy restrictions such as removing unnecessary personal information and taking steps to protect any personal information that will be shared. The proposal also requires the DHS and the Attorney General (in consultation with others) to develop receipt, retention, use, and disclosure guidelines for the federal government.

Modernizing Law Enforcement of Cybercrime: Provides law enforcement with additional tools to investigate, disrupt, and prosecute cybercrime. Some of the specific provisions previewed would: allow the prosecution of the sale of botnets; criminalize overseas sales of stolen U.S. financial information (like credit card and bank account numbers); expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft; and give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. This legislation would update RICO (Racketeering Influenced and Corrupt Organizations Act) to apply to cybercrimes while clarifying the penalties for those crimes; and also modernize the CFAA (Computer Fraud and Abuse Act) to ensure that insignificant conduct does not fall within the scope of the statute.

While there is no guarantee that the proposed legislation will pass, or will pass in the form it was originally proposed, Obama is taking affirmative steps to make his privacy agenda clear. By noting that protecting our information and privacy in the Information Age should not be a partisan issue, Obama clearly hopes that Congress will work together in this important area.

About The Author

Katherine’s practice concentrates on representing clients in litigation, with a focus on defending companies in complex privacy-related class action lawsuits. She also advises clients on compliance with federal and state privacy and security laws. Prior to joining ZwillGen, Katherine was counsel in the San Francisco office of O’Melveny & Myers LLP.

Comments