US President Obama will announce two new pieces of legislation today that are designed to protect consumers from the massive data breaches and students from greedy companies that want their data. Good idea! However, some think Obama's plan doesn't sound like it provides quite enough protection. But it's still a good idea!
The so-called Personal Data Notification and Protection Act is aimed at mitigating some of the impact of breaches like the Sony hack or the Target bonanza. It would establish several national standards for how companies must react to these incidents, including a requirement to notify customers within 30 days of the breach. That's great, because several states already have similar provisions in place. Actually, 48 out of the 50 states have some sort law like this protecting consumer data, so it seems likely that Congress will take on the challenge and hopefully unify the disparate policies with a national standard.
But is it the right standard? We still don't know all of the details of Obama's legislation, and Congress will obviously make changes if it takes the president's lead. Privacy advocates are already saying that the 30-day disclosure timeframe seemed a little lax — or at least more lax than some existing state laws. "The problem is that the effect will likely be to pre-empt the stronger state laws," Marc Rotenberg, the president of the Electronic Privacy Information Center, told The New York Times. "We want a federal baseline, and leave the states with the freedom to establish stronger standards." The Times says that Rotenberg "favours disclosure faster than 30 days."
Indeed, some states have stricter laws. You can find a handy summary here — or a full list here — of state laws that shows much more aggressive approaches to data breaches that involve health care and insurance data. California and Connecticut, for instance, require notifications to be sent within five days of the breach for those types of hacks.
More data security is always better than less data security. Congress will hopefully hammer out the details of the Personal Data Notification and Protection Act in a way that please privacy advocates. Meanwhile, the president will continue his focus on privacy and cybersecurity with an additional piece of legislation that keep companies from selling data collected in schools: the Student Data Privacy Act. Obama's also expected to announce agreements with companies over protecting home energy data, easier access to credit reports, and an early warning system for identity theft. All good ideas, that hopefully end up being as strict as we need them to be. [NYT]