President Obama has outlined a series of data security and privacy proposals in the latest sign the White House and Congress are gearing up to take legislative action on information protection.
The proposed bills were first outlined in a speech at the Federal Trade Commission on Monday, followed by a memo offering more details released by the White House on Tuesday.
The President proposed a uniform national security standard requiring companies to inform their customers of a data breach within 30 days of discovering their information has been hacked.
The Personal Data Notification and Protection Act would protect consumers living in states which have yet to enact breach notification laws, or have fairly weak ones on the books. The federal breach notification law would simplify compliance for organizations operating in multiple states. Currently, organizations have to navigate a confusing patchwork of over 40 state regulations when dealing with a data breach or a security incident. The proposals—which have yet to be drafted into bills—would also extend protection to victims to cover incidents where the data compromised was not healthcare or financial-related.
The Student Data Privacy Act would restrict students’ information stored in online education services and educational software from being collected and repurposed.
The proposals also called for criminalizing the sale of stolen user data.
“If Congress fails to pass the above legislation this year, it will stand accused of negligence and complicity in the crime wave which is currently impacting hundreds of millions of Americans,” Stephen Cobb, a senior security researcher with ESET, told SecurityWeek.
The FTC would have the authority to impose fines and punish companies who don’t comply with these laws. “Failure to notify people that their data was hacked should be a federal offense,” Cobb said.
White House officials said they expected bipartisan support for these initiatives. However, Congress has stalled on a number of data security and privacy initiatives over the past two years, despite the growing awareness of the problem among key representatives. Several bills focusing on establishing a federal standard for data breach notification have languished in Congress, often never making it out of committee to a floor vote.
Even though the legislative intent may not be new, the current situation has changed. With all the recent data breaches and other security headlines, parents are much more aware of the abuses and risks posed by mass data collection and repurposing, making the proposed student privacy law even more relevant, Cobb said. The ever-growing list of breached organizations has refocused attention on the question of data privacy and how consumers are affected.
These proposals make up a “sensible and positive step” towards improving the safety and security of the nation, and is in line with the president’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, said Dr. Fengmin Gong, co-founder and chief strategy officer of Cyphort.
Federal Breach Notification Law
Currently, data breach notification laws vary state by state, putting companies in a challenging position of sifting through different rules and regulations when dealing with an incident. Some states have enacted strong laws covering student data privacy and breach notification—California has one of the strictest breach notification laws in the nation, for example.
“National standards for breach reporting are long overdue. Right now your right to know if your information has been stolen depends on your state of residence, which is absurd,” said Lance Cottrell, chief scientist at Ntrepid.
Experts were concerned the federal standard may be watered down and wind up being weaker than some existing state laws. Some states already include a “30-day shot clock” in their breach notification laws, where the clock starts ticking as soon as the breach is discovered. Payment Card Industry standards require merchants to notify the PCI Security Standards Council no later than 24 hours after discovering the breach or compromise. California requires notification “as soon as possible without unreasonable delay.”
“There is no good reason for this to be 30 days as opposed to ‘as soon as possible’ with practical guidelines,” said Dr. Fengmin Gong, co-founder and chief strategy officer of Cyphort. “Existing state laws and industry regulations already had “effectively more stringent requirements,” he said. “What could be a good reason for proposing something less?”
However, “the net benefits of a strong uniform federal law outweigh the current patchwork of 40 plus different laws,” Cobb said. Under current laws, a small business in Nebraska selling to people in all 50 states have to deal with dozens of different state laws if a data thief manages to steal customer data. The cost of compliance and recovering from a breach becomes higher—which feels like a double whammy when you stop to consider that the business who has to bear the cost also is a victim of this particular crime, Cobb said.
Many companies are already reticent about notifying customers of a data breach where personal data and financial information were compromised because of reputation damage and the associated costs to clean up the mess. The notification law would take the guesswork out of when the organization has to ‘fess up to a breach. The threat of publicity could wind up putting additional pressure on organizations to “do whatever is possible to avoid breaches rather than simply respond to them,” said Steve Hultquist, chief evangelist at RedSeal.
On the other hand, it would be interesting to see whether the proposed law would have an effect on companies seeking assistance from law enforcement in the case of a data breach, noted Ken Westin, a senior security analyst with Tripwire.
Harvesting Student Data
The Student Data Privacy Act would prohibit technology firms from profiting from information collected in schools through tablet apps, online services, and Internet-connected software. California enacted a comprehensive education privacy law last summer prohibiting companies from collecting student information for advertising and marketing purposes.
The proposals present an opportunity for politicians and companies to reaffirm their commitment to the Fair Information Practice Principles, which form the basis of most privacy notices issued by companies, websites, and apps, Cobb said. “The digital world has changed a lot since these principles were first promulgated and we can expect pushback from some companies, particularly over the definition of notice and consent and limits on repurposing,” Cobb said.
“I think all parents welcome the President’s assertion that ‘the data collected on students in the classroom should only be used for educational purposes—to teach our children, not to market to our children,’” Cobb said. While a popular goal, this proposal would likely be opposed by special interest groups to carve out exemptions, he warned. Recent data breaches and resulting furor may “be enough to push the legislation over the hurdles that are bound to be presented by those with a vested interest in data harvesting,” Cobb said.
The president’s proposal also considered the data being collected by the Internet of Things (IoT), such as home energy usage by smart meters, and called on companies to safeguard the information.
Combating Cyber Crime
The proposals called for stronger laws around cybercrime and clarifying the penalties for computer crime. The penalties need to be in line with other similar non-cyber crimes. “I hope that the associated penalties will also be rationalized when all the details are worked out,” Cottrell said. It wouldn’t make sense to have “absurdly severe punishments for minor infractions,” for example.
The Racketeering Influence and Corrupt Organizations Act (RICO) needs to be updated to apply to cybercrime, and more importantly, the Computer Fraud and Abuse Act needs to be modernized so that insignificant conduct does not fall within the scope of the statute.
“At the moment there is ambiguity about whether violating the terms of service on Facebook, by using a nickname, could be treated as a felony computer crime because it constitutes unauthorized access,” said Cottrell. Aaron Swartz was prosecuted under CFAA, and security experts have said the law was out of date with how the Internet works.
Under the proposed law, selling botnets and stolen financial information such as credit card and bank account details would be a crime. Law enforcement would have the ability to deter the sale of spyware used to stalk users online or commit identity theft. Courts would have the authority to shut down botnets engaged in distributed denial-of-service (DDoS) attacks and other criminal activities. Law enforcement would also be able to prosecute insiders who abuse their ability to access information to use it for their own purposes.
It’s a good thing to make data theft, denial-of-service attacks, and organized cybercrime “even more illegal than before,” said Adam Kujawa, head of Malware Intelligence at Malwarebytes. However, there are still challenges, since cybercrime is a global issue. When going after criminals, the laws of the country where the criminals are located may be a “major roadblock in getting justice,” he said.
Cobb was more optimistic, noting that these changes would clarify the law around cybercrime and give U.S. law enforcement a more solid footing when going after cybercriminals, especially when the trail leads to other countries. “Making clear that America deems theft of data pertaining to, or created by, its citizens is a prosecutable offense will strengthen the ability to indict, arrest, extradite, and convict,” Cobb said.
Carrot or the Stick
The new cybersecurity initiatives also addressed information sharing, with liability protection for organizations sharing the data with government agencies and Information Sharing and Analytics Organizations (ISAOs).
“We need to share information, because no one defender can see what is going on, or which techniques are being used to attack other organizations, etc,” said Dr. Mike Lloyd, CTO at RedSeal. While a good step, Lloyd said if the organization doesn’t understand its defense posture and readiness, it isn’t enough to have timely intelligence. “Knowing that, say, a Heartbleed style of attack is being used on your neighbors doesn’t help much if you can’t immediately answer whether you have the same vulnerability,” he said.
These new security requirements could ultimately turn out to be too expensive or difficult for small business owners to comply with. While acknowledging that may not be fair, Kujawa noted the ultimate victim was the consumer. “If a business can’t afford to apply decent security on their networks that store private customer information, they should consider using a pen and paper,” he said.
