Obama sets cyber security agenda

President Obama described several legislative proposals intended to improve cyber security during a speech Monday at the Federal Trade Commission.

The announcements precede what he said would be part of his upcoming State of the Union address. The speech is part of series of “spoilers” the President has been unveiling in advance of the traditional speech to Congress and the nation.

“I’m laying out some new proposals on how we can keep seizing the possibilities of an Information Age while protecting the security and prosperity and values that we all cherish,” Obama said.

In this speech Obama listed four specific steps aimed at protecting identities and privacy. He also hinted that in an ensuing speech, to be given at the Department of Homeland Security, he’d propose additional measures that would “focus on how we can work with the private sector to better defend ourselves against cyber attacks.”

President’s 4 steps

The four measures Obama described at the FTC were:

1. New legislation to create a single, strong national standard so Americans know when their information has been stolen or misused.

Companies would have to notify consumers of a breach within 30 days. “Loopholes” would be closed to allow the government to go after criminals who act overseas.

“Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies—and it’s costly, too, to have to comply to this patchwork of laws,” Obama said. “Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late.”

2. New legislation to establish a “Consumer Privacy Bill of Rights.”

Elements of this legislation would include: the right to decide what personal data companies collect from consumers and how companies use that data; the right to know that personal information collected for one purpose can’t then be misused by a company for a different purpose; and the right to have information stored securely by companies  and they be accountable for its use.

The President said this legislation would be introduced towards the end of February.

3. New legislation called the “Student Digital Privacy Act.”

The purpose of this would be to ensure that data collected on students in the classroom should only be used for educational purposes.

Associated with this, the Department of Education will pursue a separate avenue to “offer new tools to help schools and teachers work with tech companies to protect the privacy of students.” Already, 75 companies have signed a “Student Privacy Pledge” in which they commit not to sell student information. Teachers and schools would be notified of other companies that do not sign.

4. The administration will encourage more banks, credit card issuers, and lenders to provide their customers with free access to their credit scores.

“The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy,” Obama said. “Meanwhile, the more companies strengthen their cyber security, the harder it is for hackers to steal consumer information and hurt American families.”

Among the companies mentioned that are taking part were four banks: JPMorgan Chase, Bank of America, USAA, and Ally Financial.

The President issued an executive order regarding cyber security last October. [Read “White House mandates cyber security via ‘BuySecure’” ] DanLINK

Industry reaction to speech

ABA President and CEO Frank Keating, responding to Obama’s FTC speech, said in a statement: “Banks invest hundreds of millions of dollars every year to put in place multiple layers of security to protect sensitive data. Protecting customers has always been and will remain our top priority. We look forward to working with the White House, members of Congress on both sides of the aisle, regulators, and the private sector to find common ground and better protect consumers and our critical infrastructures from cyber threats, data breaches, and fraud.”

Keating added that banks “are fully committed to protecting consumer data, notifying them in the event of a breach, and making our customers whole—regardless of where a breach occurs.”

The ABA leaders also said his association fully supported legislation that will facilitate increased cyber intelligence information sharing between the private and public sectors in a manner that protects consumer privacy and allows information sharing on serious threats to our critical infrastructures.”

Bankers involved in the BSA/AML area have complained in the past that federal talk of information sharing has tended to be a bit short on delivery.

In its statement the Financial Services Roundtable’s CEO, Tim Pawlenty, said, “while we applaud the push for a national data breach notification law, we urge the President to also support a data security standard so retail consumers are better protected.”

The Roundtable supports adoption of a national data breach notification law that would create a federal, uniform standard of notification to customers following a breach.

“While this is an important step to protect consumers, the financial industry is held to strict data security standards to ensure customers’ personal financial information is protected,” the Roundtable stated. “As such, any federal data breach notification law, like that called for by the President today, must ensure that all industries are held to equally-high data security standards to best protect consumers.”

Remarks by the President at the Federal Trade Commission

Fact Sheet: Safeguarding American Consumers & Families

White House blog and video on privacy