President Obama called for federal legislation Monday to protect student data and require companies that are hacked to be transparent with their customers.
The proposal comes amid a rash of computer breaches at companies like Target, JPMorgan Chase and Sony in which personal data of millions of customers and employees was compromised.
“We pioneered the Internet,” Obama said at the Federal Trade Commission. “But we also pioneered the Bill of Rights and a sense each of us as individuals have a sphere of privacy around us that should not be breached by our government but also by commercial interests.”
He offered the proposals as part of a week of cyber initiative announcements, and as a “sneak peak” ahead of his State of the Union Address next week. The rescent spat of high-profile cyber attacks has heightened the urgency for new rules and creates an opening on an issue that both political parties may be able to agree on.
The president’s first proposal, the Personal Data Notification and Protection Act, would require companies that are hacked to inform their customers within 30 days of a breach’s discovery. Currently, a “patchwork” of state-by-state regulations governs what and when businesses must share that their computer systems have been infiltrated. California law, for instance, requires companies to tell customers who are impacted within five days. Meanwhile, states like Alabama, New Mexico and South Dakota have no rules compelling companies to disclose breaches.
In addition to creating a uniform rules about disclosure, the legislation would also criminalize the sale of personal data overseas.
President Obama gave only broad outlines of his proposal. Its effectiveness will likely lie in the details. There was no word on whether the legislation would preempt the hodgepodge of existing state laws, for instance. Additionally, it lacked definitions of basic terms like “breach” and “personal information” that are important in how any law is enforced.
“If there is a federal standard, but then other states adopt stricter standards underneath the federal law, that doesn’t help much,” says Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin.
To be effective, any new federal legislation would have to supersede the current fractured constellation of state rules, she said. However, doing so might “water down” the law in states like California where tough rules already exist, she argued.
Proposals related to data breaches are nothing new for Congress. Over the past five years, members have introduced 33 different bills related to notifying breach victims, Larose said. Many have come and gone without success. She gave the president’s latest proposal a 50-50 shot at passing.
“None of these [new proposals] are going to make everybody happy, but I think this will go further than some of the other proposals in the past,” Larose said.
President Obama’s second proposal, the Student Digital Privacy Act, would limit companies to using academic data for only improving education. Companies would be banned from using student information like test results, grades, academic performance for marketing and targeted advertising.
The proposal is patterned on legislation recently enacted by California, and it could also make these third-party companies civilly liable for data breaches. Most education companies already promise not to share student data. But other than in certain states, there is no penalty if they fail to keep their pledges. With a law in place, they would likely face federal inquires.
The current law, the Family Educational Rights and Privacy Act, was drafted before the Internet was a major consideration. Mike Goldstein, a co-chair of law firm Cooley’s higher education practice group, called the president’s proposal a “logical extension” of the current law given the changes in education and the pervasiveness of technology today.
Mark Schneiderman, senior director of education policy at the Software and Information Industry Association, a high-tech trade association of about 800 companies including Google, Apple and Pearson, said that he is pleased that the president called attention to the association’s student privacy pledge, which was signed last year by about 75 companies, but is “wary” that the new proposal “might go too far and lose some of that opportunity to serve students through technology.”
Stacy Skelly, a spokesperson for the publishing and education firm Pearson, would not comment on the president’s proposal, but instead offered some clarification of Pearson’s privacy stance: “When an educational institution or agency entrusts Pearson, we work 1:1 with that organization to ensure its data is protected and our controls are consistent with relevant the organization’s requirements, including the promises it makes to its learners,” she told Fortune in an email. “We are not in the business of selling personally identifiable student data or permitting its use for targeted advertising.”
It also remains to be seen which agency would enforce the new rules. Given that the president delivered his speech at the FTC—the first president to visit the organization, he said, since Franklin D. Roosevelt in 1937—signals that he may expect the FTC to assume responsibility.
During President Obama’s speech, Islamic State sympathizers apparently hacked the Twitter and YouTube accounts of U.S. Central Command, a division of the U.S. Department of Defense tasked with protecting the nation’s security interests. They posted images of potentially personally identifiable information about members of the U.S. military, recruiting videos, and other pro-ISIS propaganda. (The accounts have since been suspended.)