President Barack Obama called for legislation Monday that would make companies warn customers earlier about when their private information is lost in a data breach and adopt stricter guidelines for the use of data collected from students.
Most states have individual privacy laws that require companies to notify customers of a data breach. The president said that federal standards would replace the current “patchwork of laws” that are “costly to comply” with and “confusing for customers.”
Data breach notification laws were first passed in California in 2003, and similar laws have been adopted by 46 other states as of 2014.
The Personal Data Notification & Protection Act would set a single standard for what obligations companies have in the case of a data breach, including having to notify affected customers within 30 days.
The president also introduced The Student Digital Privacy Act, which would require that data collected from students could be only used for educational purposes.
“Whether they are texting or tweeting, or on Facebook, or Instagram, or Vine, our children are meeting up—and they are growing up—in cyberspace. It is all-pervasive,” the president said. “We’ve already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising.”
Obama highlighted the Student Privacy Pledge, a document 75 companies have signed where they promise not to sell student information for targeted advertising.
“We’ve seen very few cases where people have pointed out problems [of companies misusing student data],” said Mark Schneiderman of the Software & Information Industry Association (SIIA), which developed the pledge. “Some of it is driven by preventative mindset, of getting ahead of the potential problem.”
Schneiderman said that the federal legislation protecting student data is modeled on California, which is one of the strongest in the nation, so that there shouldn’t be any problems with it superseding existing state laws regarding student data.
However, the details of the student data legislation hasn’t been released. If the legislation doesn’t displace existing state laws, Schneiderman said it could create a burdensome, “ever more complicated regulatory framework” regarding student data.
Digital Bill of Rights
One of the more ambitious projects the president referenced was a Consumer Privacy Bill of Rights that could significantly reduce the collection of personal data by private companies and create a uniform minimum standard for security protocols protecting personal information.
The White House said a legislative proposal would be available in 45 days.
“We believe that consumers have the right to decide what personal data companies collect from them and how companies use that data … the right to have your information stored securely by companies that are accountable for its use,” the president said. “We believe that there ought to be some basic baseline protections across industries.”
A digital bill of rights would have far-reaching implications for a host of businesses in an increasingly data-driven economy, researchers said, including the stifling of big data-based innovation.
“We are concerned that the concept of a consumer privacy bill of rights is not entirely workable,” said David LeDuc, a senior director at SIIA. “We could have a broad overarching framework that governs all data collection,” which would likely be inferior to the existing privacy laws that govern data from separate economic sectors differently.
LeDuc also said that creating a uniform security standard was unworkable because the information security industry is always changing, and that the level of security should be commensurate to the sensitivity of the data.
“Businesses have every incentive in the world to maintain adequate security,” he said. “The recent hacking of Sony shows just how painful it is, how harmful it is to be breached.”