Obama's Call for Student and Consumer Data Protection Laws: Critics Already See Cracks
This week, President Obama called for new laws protecting Americans from the kind of massive data breaches that defined the consumer cybersecurity narrative in 2014, along with a proposal to limit technology companies' use of student data. But, as in nearly every case where legislation touches technology, there are potential problems on the horizon.
On Monday, in the run-up to his State of the Union speech, President Obama called for two pieces of legislation on data security and privacy: The Personal Data Notification and Protection Act, focused on standards for companies to inform consumers after they've been hacked, and the Student Data Privacy Act, which would prohibit companies from profiting from information collected from America's increasingly tech-driven schools.
Student Data Privacy Act
The Student Data Privacy Act would ensure that data collected from educational devices and systems would be used only for educational purposes and not sold to third-party firms for profit.
Technology like tablets, computers, software and cloud services are increasingly making its way into schools, both well-funded and those in impoverished neighborhoods, and this proposal faces perhaps the least-difficult road to becoming adopted.
In fact, according to The Washington Post, 75 tech companies have already signed a voluntary agreement stating they will not misuse data collected from their educational programs. The proposal reportedly mirrors a California law enacted last year that protects students from data marketing.
Personal Data Notification and Protection Act
The Personal Data Notification and Protection Act, however, may face some criticism, depending on the specifics of the legislation and how it's implemented.
"If we're going to be connected, then we need to be protected. As Americans, we shouldn't have to forfeit our basic privacy when we go online to do our business," Mr. Obama said at the Federal Trade Commission, where he announced the proposals, according to The New York Times.
"Each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests."
Details of the legislation are still unknown, but the overall thrust is to unify the various and differing existing state standards requiring companies to notify consumers of data breaches into one federal law. The one known specific regulation in the proposal would require companies to inform customers of data breaches within 30 days of discovering they've been hacked.
The legislative proposal comes after a year full of high-profile hackings, starting with the massive Target credit card data breach and ending with the devastating cyber attack on Sony Pictures -- with plenty of high-profile cyber security breaches throughout the year in between.
As we previously reported, a Ponemon Institute/CNN Money report last year found that as many as 47 percent of online adults in the U.S. have had their personal data exposed by hackers. And fear of breaches is deterring many Americans from shopping online.
Experts Fear More Problems from New Data Breach Law
Cyber security experts are worried that the proposed federal law may be too heavy-handed, watered down, and/or not enough to protect Americans' digital information from prying eyes.
First, unifying state laws into one federal standard may come at the expense to more stringent protections already on the books at the local level. According to cyber security expert Brian Krebs on KrebsonSecurity, several states already have laws regarding data breaches, some more stringent than the 30-day requirement in Obama's proposal.
For example, Connecticut requires insurance companies to notify customers of data breaches within five days after discovering the hack, while California has a similar "shot-clock" disclosure law in place for healthcare companies. And 14 states and the District of Columbia already have existing laws that allow customers to sue a company for damages after a data breach.
What determines if Obama's proposal is a deal-breaker, according to Krebs, is whether the new legislation is treated as a minimum, baseline requirement for states that have or might want to enact stronger cyber security laws, or whether the federal standard will preempt those stronger, local standards.
A mix of the possibility of pre-emption and Washington D.C.'s politics worries other technology advocates, like Chris Calabrese of the Center for Democracy and Technology. Speaking to The New York Times, Calabrese noted "a lot of concern in the advocacy community about the possibility of a federal law being watered down."
For Technology, Law Always Lags Behind
But the more fundamental problem, according to Krebs and others, comes from the fundamental lack of adequate, up-to-date privacy laws in the U.S. to deal with the 21st century ubiquity of technology and digitized personal information.
Obama's new legislative initiatives, and another voluntary initiative the President touted -- an agreement between JP MorganChase, Bank of America, and other major financial institutions to make free credit reports easily available to their customers -- would be welcome, said Krebs.
"But they fall far short of the sorts of revisions we need to the privacy laws in this country, some of which were written in the 1980s and predate even the advent of Web browsing technology," he continued.
Noting the burgeoning health-tracking device market, for an example, Krebs wrote, "companies are tripping over themselves to collect oodles of potentially very sensitive such data from consumers, and yet we still have no basic principles that say what companies can do with that information."
Much of the discussion over legislation and protection of consumer data comes back to the basics of data security, like encryption and security standards within the company. So many of the data breaches over the year were due to sloppy handling of credentialed access, as in the Target breach, or simply unprotected files, as in the Sony case.
But of course, Krebs is making that point at a time when paradoxically, the U.S. is pressuring technology companies to drop encryption standards it sees as a threat to its own law enforcement and anti-terror snooping, and in the wake of the Charlie Hebdo attack, Prime Minister David Cameron is threatening a ban on encrypted messaging that overshoot the U.K.'s weaker encryption standards.
Subscribe to Latin Post!
Sign up for our free newsletter for the Latest coverage!