Pell Center at the Forefront of the National Discussion on Data Breach Notification Law
By Francesca Spidalieri, Fellow for Cyber Leadership
- Obama calls for data breach notification law, privacy bill of rights | Computer World
- Obama: Hackers pose a ‘direct threat’ to families | The Hill
- Pell Center Cybersecurity Workshop Discusses Necessary Updates to the RI Data Security and Breach Notification Law | Pell Center
President Barack Obama recently announced that he plans to propose new cybersecurity initiatives—in areas from ID theft to consumer privacy—during his State of the Union speech next Tuesday. In particular, the President will call on Congress to pass a national data breach notification law that would require companies to notify customers that their personal information has been compromised within 30 days of a breach. On a local level, the Pell Center has made similar recommendations to improve the current RI Data Security and Breach Notification Law. Obama cited the recent hacks at Target, Home Depot, and Sony as prime examples of why Congress should pass the Personal Data Notification and Protection Act.
The call for better data protection and better consumer-notification after breaches is nothing new—the White House first called for a consumer privacy bill of rights in February 2012 and has backed a national breach notification law for years—but Congress has not yet acted.
For over a year now, the Pell Center has been discussing the repercussions of data breaches (on both consumers and companies) and the lack of clearly-defined courses of action to take in the event of a breach as part of its Rhode Island Corporate Cybersecurity Initiative (RICCI) event series. In an effort to make progress on this issue, the Pell Center hosted a dedicated workshop last September that brought together Rhode Island’s private and public sectors leaders to review gaps in the current RI notification of breach law, to compare the RI law with those of other states, and to propose methods to strengthen the existing law. The recommendations made during the workshop and subsequent meetings have now been used to draft a more comprehensive data breach notification law that was recently introduced for discussion on the State Senate floor. The new law would raise the cost of data breaches in Rhode Island; better protect state customers’ personal information; provide state companies with a specific timeframe and process to follow in the case of a data breach; and define the role that state agencies and law enforcement would play in those instances.
Similarly, the bill proposed by the President intends to protect consumers while providing much-needed focus on concrete steps that can be taken in case of a breach. The bill would also help coalesce the patchwork of state breach laws that currently exist. In addition to Rhode Island, more than 45 other states have data breach notification laws. The problem, however, is that there are no national standards or guidelines for states to follow. Obama has said that a lack of national standards confuses consumers and raises compliance costs for companies:
In recent breaches, more than 100 million Americans have had their personal data compromised, like credit card information. When these cyber criminals start racking up charges on your card, it can destroy your credit rating. It can turn your life upside down. […] Sometimes folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late.
Lawmakers have tried for nearly a decade to pass a federal bill to replace the patchwork of state laws, but have repeatedly failed, in part because either the laws didn’t go far enough or went too far. The new proposed RI law on data breach notification, initiated by the Pell Center, could serve as a template for the nation.
Additional cybersecurity proposals that the President is scheduled to announce include a Consumer Privacy Bill of Rights that would give consumers more control over their digital data; a Student Data Privacy Act, which would prevent information collected about students from being used for anything but educational purposes; and a broadband expansion plan.
In short, tune-in on Tuesday to hear the President’s proposals for the future of our cybersecurity. But if you want to catch an early glimpse of what that future might look like, tune-in to the Pell Center’s efforts to make Rhode Island a model for cyber leadership around the country.