Last week President Obama called for federal legislation that would aim to safeguard consumer data and require retailers to be more forthcoming about data breaches when they occur. Obama will announce his legislation, The Personal Data Notification and Protection Act, in his State of the Union Address tomorrow night and the administration expects bipartisan support.According to Obama, the current mishmash of state laws doesn't protect Americans. At a Federal Trade Commission event in Washington, D.C. last week he said that he was introducing new legislation to create a strong national standard so Americans know when their information has been stolen.
His proposal aims to strengthen the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard. Another highlight includes firms making credit scores available for free to their consumer card customers in an effort to prevent identify theft.
As the number of data breaches continues to rise, this legislation is a step in the right direction. At last week's National Retail Federation's Big Show, Earthlink's Peter Chronis, chief security officer; and Greg Griffiths, VP, Retail Solutions, underscored the urgency of companies' data protection situations. They said they're seeing hackers move from a retail theft scenario to a smoking hole setting where they're targeting companies with large footprints and putting entire operations under attack. '
But many critics of the bill say a data breach notification law would be limiting by not requiring companies to create a data security program and safeguard internal practices. The federal legislation may also preempt tougher state legislation aiming to protect consumer data.
Although some privacy advocates aren't convinced of the eventual effectiveness of the legislation, Larry Clinton, president and CEO of the Internet Security Alliance, publicly said that he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification.
Whether or not Obama's legislation proves to be the cure-all for preventing data breaches, it's a step in the right direction and a wake-up call for organizations to invest in solid security programs, policies, and platforms.
What are your thoughts on what the legislation is lacking or should include?