Much Cyber. Very Security. The devil is in the details with Obama’s new cybersecurity proposals.


This week the White House announced plans to release a new legislative proposal aimed at providing notice to victims of corporate data breaches. The Personal Data Notification and Protection Act is expected to look similar to the Administration’s 2011 proposal, including a provision that would preempt stronger state laws. Additionally, the president also promised draft legislation implementing the Consumer Privacy Bill of Rights, as well as separate draft legislation increasing protections for student data. While these proposals show the White House’s prioritizing data security, it is not yet clear that Personal Data Notification and Protection Act will actually lead to improved security or provide adequate protection for users’ privacy.

Current data breach notification laws require businesses to notify users when their personal information has been either accessed or acquired without authorization. These laws provide transparency to consumers who are increasingly paying for corporate data breaches with their security and privacy. The president’s proposal, the full text of which is expected soon, will require notification to users within 30 days of a breach (an upgrade over 60 days in the 2011 proposal). However, the proposal will explicitly supercede stronger state laws. Maine, for instance, has a process to determine whether notification is required, and users must be notified within seven days of that determination. Some state laws also contain a private right of action, allowing individuals to sue companies that fail to abide by notification requirements. The federal proposal should either be strengthened or it should allow for the co-existence of stronger state laws.

The Consumer Privacy Bill of Rights, if passed, would be the first federal baseline privacy rules within the United States. Currently, U.S. privacy laws are largely sector-specific, with individual rules for credit and banking information, health information, education information, and other types of user data. By comparison, the E.U. is currently negotiating a “Data Protection Regulation,” which would provide clear rules that all member states must follow for all kinds of data. Notably, the E.U., unlike the U.S., recognizes data protection as a fundamental right. The Consumer Privacy Bill of Rights includes limits on collection, retention, and use of user data by private entities, as well as an overarching right of individual control.

Access has applauded previous efforts by the Obama Administration to provide rules and guidance on data security and user privacy. But at the same time we’ve noted inherent deficiencies in organizational structures and policies that have exacerbated gaps in both security and trust, such as the conflation of federal practices aimed at increasing user security with government surveillance functions. For example, the NSA is tasked with both protecting data and undermining security. We must ensure that the new measures are not weakened or contradicted by other policies.

The President’s speech came at the beginning of what is expected to be a heavy week for administration and congressional statements on cybersecurity. Later this week, the White House is poised to release an executive action on cybersecurity and information sharing as well as policies aimed at increased broadband access and growing the population of cybersecurity experts. Additionally, on January 13, the Senate Foreign Affairs Committee will hold the first post-Sony congressional hearing on North Korea and cybersecurity threats, and at least some legislators are expected to take the opportunity to promote rights-invasive information sharing legislation, such as CISPA. As we’ve noted, information sharing policies are of questionable utility and can place users’ privacy at risk by encouraging the private sector to unnecessarily transfer sensitive personal information to the government.

While Access supports improved data security and better privacy standards, many current government proposals would harm user rights. Any cybersecurity proposals should be evaluated based on their impact to users. We look forward to engaging with the Obama Administration on these proposals in order to best protect the human rights of users and to keep the internet open and free.

photo credit: Ryoji Ikeda