Data breaches and cyber-security issues are hot topics. Any company that utilizes electronic means to conduct business, obtain and store information or customer data is subject to the risk of a data breach. The effects of a breach can be devastating. We have recently blogged about practice pointers and tips for companies and boards of directors to be gleaned from high-profile breaches such as the one facing Sony. Against the backdrop, President Obama weighed-in on the significance of cyber crime.
In a January 12, 2015 speech given to the Federal Trade Commission, President Obama unveiled his plan to protect American consumers from identity theft and ensure our privacy. He identified new legislation that is being introduced to create a single national standard to notify Americans when their information has been stolen or misused. Currently, most states have some version of this law, but the difference across states creates confusion among companies and consumers. The proposed legislation would require companies to notify consumers of a breach within 30 days. The law would simplify and streamline the reporting and notification process by standardizing the existing patchwork of state laws into one federal statute. The result should ease the burden and costs on many companies dealing with different notification requirements across multiple states. Another aim of the proposed legislation is to close loopholes in the law, making it easier to prosecute criminals who steal and sell the identities of Americans.
The second piece of the proposed legislation seeks to create a Consumer Privacy Bill of Rights. The goal of the Bill is to create standard baseline protections across industries as to how personal consumer data can be collected and how it can be used. The Bill would give consumers the right to have their personal data stored securely by companies and hold companies accountable for the use of that data. Companies would not be able to collect personal data for one purpose and then misuse it for another purpose.
The last portion of the proposed legislation is a Student Digital Privacy Act. The Act is designed to prevent companies from selling student data to third parties for purposes other than education. It will combat those companies that use educational technologies to collect student data for commercial purposes, like targeted advertising.
The proposed changes in the law surrounding cyber-security serve as a good reminder to all companies to monitor and update cyber-security policies to comply with any state and federal guidelines. Company protocols in the event of a breach should also be routinely reviewed to ensure prompt notification and reporting. Most importantly, as President Obama stated, doing business in cyberspace “creates enormous opportunities, but also creates enormous vulnerabilities”; therefore, all companies should make it a priority to ensure they are taking the necessary and appropriate steps to protect against those vulnerabilities and the threat of an attack.