President Barack Obama previewed a new data breach notification law today in a speech to the Federal Trade Commission, which will set a 30-day deadline for notifications.
He said that this year's data breaches, including the recent hack of Sony, make the economy more vulnerable.
"Today, I’m focusing on how we can better protect American consumers from identity theft and ensure our privacy, including for our children at school," he said.
To start with, he pointed out that almost every state has a different law on the books about how and when to notify people in the event of a data breach.
For example, according to Baker & Hostetler LLP, a national law firm with a focus on data privacy issues, notification deadlines vary from five days in Connecticut to 45 days in Ohio, Vermont, and Wisconsin.
"It’s confusing for consumers and it’s confusing for companies -- and it’s costly, too, to have to comply to this patchwork of laws," said Obama. "Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late."
A common set of laws, even with stringent rules, would be welcomed by many in the industry, said Jim Reavis, CEO of the Cloud Security Alliance.
"We've been looking for uniformity," he said. "If we create more uniformity in the country, it will be good for the industry."
Under the proposed law, there would be a uniform 30-day breach notification deadline, with the clock starting when the breach is discovered.
"In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas," Obama said.
The president also proposed a Consumer Privacy Bill of Rights, which would ensure that consumers would have the right to decide how companies use their personal data, and the Student Digital Privacy Act, which would restrict the use of data collected about students.
The president called on business leaders and consumer privacy advocates to work together to get these laws passed.
"This mission, protecting our information and privacy in the Information Age, this should not be a partisan issue," he said. "This should be something that unites all of us as Americans."
However, several previous attempts to pass similar legislation have all failed and, even with both houses now under the control of the opposing political party, the odds are no better this time around, said John Pescatore, director of emerging trends at the SANS Institute.
For example,even if both houses approve the bill, they may water it down to such an extent that the president vetoes it, he said.
And none of the important details, such as what specifically constitutes a data breach, have been released yet, he added.
"Is it simply that the data was lost?" he asked. "Someone lost a data tape and can't find it -- does it require notification? Or does it require proof that someone saw the information? These are some of the things that are different state by state."
Not every breach is the same, said Tsion Gonen, chief strategy officer at SafeNet, Inc., which was just acquired by Amsterdam-based cybersecurity firm Gemalto.
"For example, it is possible for a company to be breached, and yet still protect the data with technologies like encryption," he said.
Security experts also had some criticism of the 30-day notification deadline.
"Thirty days is an aggressive window," said Kevin Jones, senior security architect at Washington, DC-based Thycotic Software, Ltd.
Companies have to fully understand the scope of the breach first, and fix any ongoing security issues, before they go public, he said.
"A shot clock of 30 days may cause organizations to buckle under pressure and disclose before the issue is fully addressed, which would just bring the spotlight on them for attackers," he said.
And there doesn't seem to be any incentive for companies to discover breaches earlier, said Kevin Conklin, VP of marketing and product strategy at Framingham, Mass.-based security firm Prelert Inc.
"It’s an average of 200 days or more before companies learn of a breach," he said. "At that point, the damage to consumers has already been done. Forcing companies to report breaches quickly is important, but these companies need to proactively take steps to identify breaches earlier.”
"A rush to disclosure can sometimes hamper research by law enforcement and other parties," added Drew Kilbourne, managing director at Dulles, VA-based Cigital. "Often breaches are not immediately disclosed in order to not tip off the attacker that they have been discovered, allowing time to study the attack to learn about new or evolved tradecraft and attack vectors and perform attribution."
The proposed law will not make anyone safer or prevent breaches, he added. Breach notifications are more about retaining customers and public perception.
"Quicker notification may be more window dressing than an effective strategy," he said.