Obama Wants Firms to Notify of Data Breach Within 30 Days

The Proposal Complemented a Series of Data Privacy Related Rules Suggested by the White House Today

By Published on .

Reprints Reprints

Credit: Doug Mills/Pool via Bloomberg

President Barack Obama wants companies to notify consumers within 30-days of a personal data breach. Despite a slew of pressing issues facing the administration and a potentially unsympathetic Republican-led congress, the White House today unveiled a handful of legislative proposals aimed at safeguarding consumer privacy, continuing along a path established by its privacy and big data report published in May.

The administration's Personal Data Notification and Protection Act is being pitched in part as beneficial to companies handling consumer data, since it provides a set of rules for data breaches that applies on a national level.

"This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard," noted a White House press release.

Industry has long supported a federal data-breach rule. U.S. Attorney General Eric Holder in February called for a national data-breach law, in part a response to the giant Target data breach. Since then, several firms holding consumer information have been vulnerable to hacks and data spills. The recent exposure of Sony data -- allegedly perpetrated by North Korean government forces -- has national defense implications, perhaps propelling the White House to push harder for updated privacy and security laws.

"We applaud the President of the United States for his continued leadership in the area of security and other consumer protections. We are especially encouraged by his call for a single, national standard," said Mike Zaneis, exec VP-general counsel of the Interactive Advertising Bureau. "We look forward to working with the 114th Congress to enact a strong bill that preempts the current patchwork of state laws."

Another key element of the President's proposal is the Student Digital Privacy Act, aimed at protecting data garnered in educational settings. The bill "would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school – while still permitting important research initiatives to improve student learning outcomes, and efforts by companies to continuously improve the effectiveness of their learning technology products," noted the White House statement.

According to the White House, 75 firms including Microsoft and Apple have agreed to a student-data related pledge overseen by the Future of Privacy Forum and Software and Information Industry Association.

The IAB was skeptical of comprehensive privacy legislation, a concept the ad industry has fought for years. Mr. Zaneis cautioned against a sweeping Consumer Privacy Bill of Rights, which the administration said it will release as revised draft legislation within 45 days. "Broad attempts to regulate in this dynamic space, such as an amorphous Consumer Privacy Bill of Rights, have garnered little support on Capitol Hill and we expect this to remain true in the new Congress," noted Mr. Zaneis.

In conjunction with the privacy proposals, the Energy Department and Federal Smart Grid Task Force unveiled a voluntary code of conduct for utilities and third-party partners intended to guard customer electricity data.

Lawmakers with stronger ties to industry are also introducing data security legislation. Earlier this month, Rep. Marsha Blackburn, R-Tenn., announced during a keynote speech at the Direct Marketing Association's Dynamic State of Data conference she would re-submit her SECURE IT bill in the new congress.

Most Popular