President Obama Announces New Legislative Proposal Focused on Improving the Nation’s Cybersecurity
In response to the recent wave of high-profile data breaches, President Obama has revealed proposed legislation aimed at improving the nation’s cybersecurity by increasing certain privacy protections, streamlining the regulatory landscape, increasing public and private sector cooperation, and modernizing law enforcement. This alert outlines the framework of President Obama’s proposal based on information released by the White House to date.
In a series of speeches and press releases, culminating with his State of the Union address on January 20, 2015, President Obama has outlined the themes of the proposed legislative package focusing on the nation’s cybersecurity. Details about the potential legislation are limited at this time. Saul Ewing will monitor these proposed changes and will provide updates as needed.
Some of the highlights of President Obama’s proposed legislation include:
National Standard for Data Breach Reporting
The proposal simplifies and standardizes notice requirements by imposing a uniform 30-day notification requirement from the discovery of a breach of an individual’s personal information. It appears that the proposed legislation is intended to preempt the 47 state laws (along with the District of Columbia and several territories) that an organization must comply with following a breach. The White House hopes to install a “single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.”
Cybersecurity Information Sharing
The proposal encourages the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) by offering “targeted liability protection” to such private-sector entities. The plan would then be for the NCCIC to share that information in “as close to real-time as practicable” with other federal agencies and the newly-organized and private-sector-operated Information Sharing and Analysis Organizations.
Increased Protections for Personal Information
The proposal introduces new requirements that an organization must comply with to better protect Americans’ privacy. An example of these new protections is the requirement that organizations remove unnecessary personal information from their systems. Private entities will be required to comply with these new standards in order to qualify for the proposal’s liability protections.
Modernization of Law Enforcement to Combat Cyber Crime
The proposal criminalizes such activities as overseas trade of stolen personal information and the sale of computer botnets used to launch cyberattacks. The proposal also modernizes the Computer Fraud and Abuse Act by eliminating certain unspecified actions from the scope of the Act. It also updates the Racketeering Influenced and Corrupt Organizations Act (RICO) to capture cybercrime-related activities.
Digital Privacy of Students
The proposal would also ensure that student data collected in the educational context is used only for educational purposes. The legislation bans the resale of such student data, while ensuring that it can be used for important research intended to improve outcomes in education. The proposal would also ban targeted advertising based on data collected from students in schools.
President Obama’s proposal could cause sweeping changes – potentially, both positive and negative – across the private sector. At this point, it is pure speculation as to what changes will occur. Saul Ewing attorneys will continue to track and analyze all potential changes related to President Obama’s proposed legislation. For more information on these matters, please contact the author or the attorney at the firm with whom you are regularly in contact.