Washington – President Obama touched on an array of proposals related to increasing cybersecurity and privacy protections for consumers in last night’s State of the Union address. In the wake of last year’s Sony hack and other high profile breaches, concerns about the security of corporate networks, critical infrastructure, and consumers’ personal and financial information have heightened.
General outlines of the president’s cyber agenda were released in the week leading up to last night’s speech. They include legislative proposals and planned executive actions. The devil, of course, is in the details, as the Administration is placing the ball firmly in Congress’ court when it comes to ensuring that provisions in the legislative proposals do not stifle digital innovation.
Consumer Privacy
- Personal Data Notification & Protection Act
- Creates a national standard for data breach notification by preempting a patchwork of 48 state laws.
- Establishes a 30-day notification requirement from the discovery of a breach, with flexibility for delay or exemption when national security or criminal investigations are implicated.
- The proposal also criminalizes illicit overseas trade in identities.
- Student Digital Privacy Act
- Modeled after California’s Student Online Personal Information Protection Act.
- Prevent companies from selling student data to third parties for purposes unrelated to the educational mission.
- Prohibits targeted advertising to students based on data collected in school.
- Permits research initiatives to improve student learning outcomes and efforts by companies to improve the effectiveness of their learning technology products.
- Consumer Privacy Bill of Rights Legislation
- Based on the the Administration’s 2012 Blueprint.
- Proposed language remains under wraps, but is meant to apply clear principles that look at the context in which data is collected in online interactions and ensure that users’ expectations are not abused.
Cybersecurity
- Cyber-threat Information Sharing Legislation and Executive Action
- Legislation is intended to increase information sharing between the government and private sector and within the private sector.
- Private to government information sharing would be centralized in the Department of Homeland Security’s National Cybersecurity & Communications Integration Center, rather than NSA.
- Information would be immediately shared with relevant government agencies, likely including the intelligence community.
- The executive action would have DHS issue an RFP for a third-party standards organization to develop, with industry input, guidelines for private sector Information Sharing and Analysis Organizations (ISAOs).
- Updates to federal cybercrime statutes
- Includes provisions that would allow for the prosecution of the sale of botnets, criminalize the overseas sale of stolen U.S. financial information, expand federal law enforcement authority to deter the sale of spyware, and give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.
- Updates the Racketeering Influenced and Corrupt Organizations Act (RICO), so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes.
- Proposes updates to the Computer Fraud and Abuse Act
- Ensures that insignificant conduct does not fall within the scope of the statute.
- Increase remedies against insiders who abuse their ability to access information to use it for their own purposes.
- Raise penalties for acts of circumventing technological access barriers.