US President spells out his cybersecurity legislative agenda
In the lead-up to the annual State of the Union address scheduled for next Tuesday, US president Barack Obama is doing rounds and giving a glimpse into his legislative plan for the year.
On Monday, he gave a speech at the Federal Trade Commission, and among the things he talked about was his plan to enact legislation for the protection of American consumers from identity theft, as well as better privacy legislation.
“In recent breaches, more than 100 million Americans have had their personal data compromised, like credit card information,” he noted, pointing out that this can turn one’s life upside down.
He put forth his intention of introducing new legislation to create a federal standard for data breach notifications.
“Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies – and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days,” he said.
He disclosed that JPMorganChase and Bank of America, the USAA and State Employees’ Credit Union, and Ally Financial will make credit scores available to customers free of charge, helping them in preventing and/or spotting identity theft.
He announced the introduction of a Consumer Privacy Bill of Rights. “We believe that consumers have the right to decide what personal data companies collect from them and how companies use that data, that information; the right to know that your personal information collected for one purpose can’t then be misused by a company for a different purpose; the right to have your information stored securely by companies that are accountable for its use. We believe that there ought to be some basic baseline protections across industries,” he shared.
Finally, he revealed the introduction of the Student Digital Privacy Act, which will make sure that data collected in the educational context is used only for educational purposes, and would prevent companies from selling student data to third parties and won’t be used for targeted advertising.
Today, at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, he shared his intention to introduce cyber security legislation that will encourage private sector companies to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will share it on to relevant federal agencies and the private sector. The legislation would also protect from liability the companies that did that.
This legislation would also encourage private-sector businesses to share this information among them, but while protecting the privacy of its customers by removing unnecessary personal information from it.
Lastly, he announced a push towards modernizing law enforcement authorities to combat cyber crime.
“The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity,” it is noted in a summery of the announcement.
“It also reaffirms important components of 2011 proposals to update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key piece of law used to prosecute organized crime, so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.”