Obama to Call for Laws Covering Data Hacking and Student Privacy

January 11, 2015


WASHINGTON — President Obama on Monday called for federal legislation intended to force American companies to be more forthcoming when credit card data and other consumer information are lost in an online breach like the kind that hit Sony, Target and Home Depot last year.

The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked. In a speech Monday at the Federal Trade Commission, Mr. Obama said that the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country.

The president also proposed the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.

“If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business,” Mr. Obama said Monday. “Each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.”

Monday’s announcements were part of a weeklong focus on privacy and cybersecurity by Mr. Obama ahead of his State of the Union address next week. White House officials said they expected bipartisan support for the initiatives and did not anticipate fierce opposition from industry or advocacy organizations.

But on Capitol Hill, Mr. Obama faces a Republican-controlled Congress for the first time in his presidency. It remains unclear how quickly his adversaries in the House and the Senate will move to take up the legislation, and whether disputes in other areas could delay its consideration.

Consumer and privacy groups have yet to see details of the president’s proposals, and some remain concerned that any federal standard could be weaker than the robust state laws passed in recent years. California, for example, recently passed a state law protecting student data.

“The problem is that the effect will likely be to pre-empt the stronger state laws,” said Marc Rotenberg, the president of the Electronic Privacy Information Center, who favors disclosure faster than 30 days. “We want a federal baseline, and leave the states with the freedom to establish stronger standards.”

Chris Calabrese, the senior policy director for the Center for Democracy and Technology, said that his group had not rejected the idea of a federal law, but that it depended on how it was written. “There is a lot of concern in the advocacy community about the possibility of a federal law being watered down,” Mr. Calabrese said.

Corporate data breaches have gained urgency since attacks on Sony Pictures that officials say were done by the North Korean government. Under the proposed law, the discovery of a breach would trigger a “30-day shot clock” that requires notification. The legislation clarifies when breaches must be disclosed and makes it a crime to sell a person’s cyberinformation overseas. The Federal Trade Commission would get the power to issue penalties to companies that did not comply.

“There’s a crazy quilt patchwork of 48 state laws, and they are in tension with each other,” said Jon Leibowitz, a partner at the Davis Polk law firm and a former chairman of the Federal Trade Commission under Mr. Obama. “This is not a flash point, ideological battle here. It could be the kind of legislation that protects privacy, protects consumers and actually has a chance for getting enacted.”