On Monday, January 12, 2015, President Obama appeared at the Federal Trade Commission to announce the administration’s blitz of cyber security and privacy legislative and public policy initiatives, which will be discussed in greater detail in tonight’s State of the Union Address. The President’s proposals encompass a broad range of legislation, as well as collaborative efforts between the federal government and industry leaders.
Proposed Legislation:
- Personal Data Notification and Protection Act. This act would establish a nationwide 30-day breach notification window and criminalize the international trade in identity information.
- Student Digital Privacy Act. This act is modeled after the California Student Data Privacy Law and would prohibit companies from selling student data for non-educational purposes and from targeting advertising to students via information collected in school.
- Consumer Privacy Bill of Rights. This proposal would enumerate several consumer rights, including the right to control data collected by companies and the uses of that data, the right to clear and accessible information about a company’s privacy and security practices, the right to correct data inaccuracies, and the right to know who is accountable for use of personal data.
- Amendments to RICO. These amendments to the Racketeering Influenced and Corrupt Organizations Act would make the law applicable to, and clarify the penalties for, cybercrimes.
- Updates to the Computer Fraud and Abuse Act (“CFAA”). This legislation would clarify that the CFAA can be used to prosecute insiders who exploit access to information for their own purposes.
- Encouraging Information Sharing. This proposal would incentivize private-sector companies that have experienced a breach to share information about the breach with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would in turn share the information with relevant federal authorities and with the Information Sharing and Analysis Organizations. Companies that follow the proposed notification process would receive “targeted liability protection.”
Additionally, President Obama discussed several initiatives in which the federal government is partnering with private-sector organizations to promote self-regulation in an effort to provide stronger privacy protection to individuals.
Joint Private-Sector/Government Initiatives:
- The Voluntary Code of Conduct for Smart Grid Customer Data Privacy. The Department of Energy and Federal Smart Grid Task Force have developed a voluntary code of conduct designed to protect consumer data regarding energy usage. The Code is designed to improve consumer choice, consent, and controls on access to such data.
- Model Terms of Service. The Department of Education and Privacy Technical Assurance Center have drafted Model Terms of Service, designed to ensure that educational data is used for appropriate, education-centric purposes.
- Joint Effort to Identify and Prevent Identity Theft. In partnership with the Fair Isaacs Corporation (FICO), JP MorganChase, Bank of America, USAA, State Employees’ Credit Union, and Ally Financial will begin offering free credit scores to certain consumers in an effort to assist individuals to identify instances of identity theft.