The White House recently released a comprehensive cyber-security policy proposal, and with it raised new hopes that a streamlined solution around data breach notification is finally at hand. The desire for such a federal policy, which would supersede the patchwork quilt of state regulations, has long been expressed – proposals have been bandied about for years but have invariably become bogged down in Congress. Despite widespread arguments that the mandatory obligations of businesses around data breach notification should be simplified and made uniform across the country, a national law has remained frustratingly elusive.
The release of the Obama administration’s proposal breathes new seriousness of purpose to this effort, which leaders hope will galvanize Congress to push this effort over the hump so that national guidelines finally become law. The new proposal creates specific requirements around the method and timing of communications about breaches and positions the Federal Trade Commission and state attorneys general as the enforcers of the law, with penalties for violations totaling as much as $1 million.
The proposal has been met with both receptivity and criticism. Members of the House Committee on the Judiciary Subcommittee on Intellectual Property, Competition, and the Internet, for starters, have various issues with the bill; some claim that enforced standards will hinder economic growth, while others complain that the information sharing portions of the bill that address liability are too broad. Additional criticism is that nationalization of rules which weaken state laws will help businesses at the expenses of consumers.
Data breach notification requirements are just one part of the White House proposal, which also includes parameters around cyber-defense and protections for critical infrastructure such as electric grids and financial systems from would-be cyber-terrorists. The Department of Homeland Security would work closely with states and critical infrastructure businesses to help manage appropriate protections and responses to “significant cyber-security incidents.”