President Obama Includes Cybersecurity, Privacy in SOTU

BY CCIA Staff
January 21, 2015

Washington – President Obama touched on an array of proposals related to increasing cybersecurity and privacy protections for consumers in last night’s State of the Union address.  In the wake of last year’s Sony hack and other high profile breaches, concerns about the security of corporate networks, critical infrastructure, and consumers’ personal and financial information have heightened.

General outlines of the president’s cyber agenda were released in the week leading up to last night’s speech.  They include legislative proposals and planned executive actions.  The devil, of course, is in the details, as the Administration is placing the ball firmly in Congress’ court when it comes to ensuring that provisions in the legislative proposals do not stifle digital innovation.

Consumer Privacy

  • Personal Data Notification & Protection Act
    • Creates a national standard for data breach notification by preempting a patchwork of 48 state laws.
    • Establishes a 30-day notification requirement from the discovery of a breach, with flexibility for delay or exemption when national security or criminal investigations are implicated.
    • The proposal also criminalizes illicit overseas trade in identities.
  • Student Digital Privacy Act
    • Modeled after California’s Student Online Personal Information Protection Act.
    • Prevent companies from selling student data to third parties for purposes unrelated to the educational mission.
    • Prohibits targeted advertising to students based on data collected in school.
    • Permits research initiatives to improve student learning outcomes and efforts by companies to improve the effectiveness of their learning technology products.
  • Consumer Privacy Bill of Rights Legislation
    • Based on the the Administration’s 2012 Blueprint.
    • Proposed language remains under wraps, but is meant to apply clear principles that look at the context in which data is collected in online interactions and ensure that users’ expectations are not abused.

Cybersecurity

  • Cyber-threat Information Sharing Legislation and Executive Action
    • Legislation is intended to increase information sharing between the government and private sector and within the private sector.
    • Private to government information sharing would be centralized in the Department of Homeland Security’s National Cybersecurity & Communications Integration Center, rather than NSA.
    • Information would be immediately shared with relevant government agencies, likely including the intelligence community.
    • The executive action would have DHS issue an RFP for a third-party standards organization to develop, with industry input, guidelines for private sector Information Sharing and Analysis Organizations (ISAOs).
  • Updates to federal cybercrime statutes
    • Includes provisions that would allow for the prosecution of the sale of botnets, criminalize the overseas sale of stolen U.S. financial information, expand federal law enforcement authority to deter the sale of spyware, and give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.
    • Updates the Racketeering Influenced and Corrupt Organizations Act (RICO), so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes.
    • Proposes updates to the Computer Fraud and Abuse Act
      • Ensures that insignificant conduct does not fall within the scope of the statute.
      • Increase remedies against insiders who abuse their ability to access information to use it for their own purposes.
      • Raise penalties for acts of circumventing technological access barriers.

Related Articles

EU Council e-Privacy Agreement Paves Way for Final Negotiations, CCIA Urges Further Improvements

Feb 10, 2021

Brussels, BELGIUM — The EU Member States (“EU Council”) today approved a joint position on the e-Privacy Regulation, originally proposed in 2017. This decision paves the way for final negotiations with the European Parliament and the European Commission. The proposed e-Privacy Regulation entails new privacy rules that will affect how Europeans consume online services from…

New EU Cybersecurity Rules Should Promote Security Mitigation, Avoid Compliance Red Tape

Dec 16, 2020

Brussels, BELGIUM — The European Commission published today a legislative proposal to update the 2016 Network and Information Security Directive.  The proposal aims to reduce regulatory inconsistencies across the EU’s internal market and it encourages security information sharing to help companies effectively address future cybersecurity risks. But the proposal also suggests that cloud computing providers,…