Prognosticators reading the government's privacy-policy tea leaves expected President Barack Obama to make specific mention of a national data-breach notification law during last night's State of the Union Address. But, alas, no direct mention of that or any other specific policy initiative related to data privacy or security made it into the final cut of his speech. Indeed, little was mentioned that would have a direct impact on advertisers.
The president did, however, dedicate four lines to the need to curb the ability of bad actors including foreign nations or hackers to "shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids." He continued, mentioning kids once again, in a call for legislation to guard against cyber attacks, identity theft and to "protect our children's information."
The President last week introduced an array of data privacy and security initiatives his administration hopes will influence and facilitate legislation, including the administration's Personal Data Notification and Protection Act, which promises to help companies handling consumer data by providing a set of rules for data breaches that applies on a national level. "This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard," noted a White House press release.
"We've been a strong supporter of legislation for probably three-plus years on data breaches," said Craig Spiezle, executive director of the Online Trust Alliance, a corporate-funded nonprofit trade organization that aims to help industry establish and implement strong, self-governed data privacy and protection regulations. The organization, which provides input regarding privacy policies to the White House every few weeks, planned to report today that 90% of the 500 data breaches that occurred in the first half of 2014 were avoidable. OTA released its data-protection guidelines for members to coincide with the State of the Union Address as well as Data Privacy Day, an annual worldwide event encompassing several panel discussions and programs starting January 28.
Despite support for data-breach notification rules by industry groups, passing a federal law will be no easy task, suggested Mr. Spiezle, who said some industry stakeholders might balk at calls for notification to be triggered when fewer than 50,000 or 100,000 consumer records are compromised, or might push back when it comes to timing on notifying authorities and consumers. He also said some trade groups want a federal law that would prevent states from taking action against firms subject to a breach.
"You won't hear the President talk about that level of detail," he said hours before the State of the Union Address.
Both Interactive Advertising Bureau and Direct Marketing Association praised President Obama's call for a national data-breach notification rule despite the fact that the final version of the speech made no mention of data breaches or a national standard for how and when companies notify authorities or consumers of a breach.
"We also laud the President's call for a single, national data breach notification standard. Having a patchwork of 46 disparate state laws does not adequately protect consumers' identities," noted Mike Zaneis, exec VP-public policy and general counsel for the IAB in a statement.
"Notwithstanding the announcements leading up to the State of the Union, not much was said about the data security breach notification law that the President previously suggested. Regardless, it is part of the agenda," said Daren M. Orzechowski, partner with the law firm White and Case LLP. He continued, "One issue to watch is how the administration and Congress address whether individuals can bring a private lawsuit following a data breach and if so what is the potential liability to the company who suffers a breach. Another is whether companies will be responsible for implementing minimum cybersecurity requirements that might present an additional compliance expense."