US president Barack Obama is calling for a single US data breach notification law among a raft of proposed legislation to improve US data security.
In a speech at the US Federal Trade Commission, Obama previewed his State of the Union address on 20 January by outlining legislation he would like Congress to pass.
Embarrassingly, the speech coincided with news that a group backing Islamic State had compromised the US military Central Command’s Twitter and YouTube accounts.
“As we've all been reminded over the past year, including the hack of Sony, this extraordinary interconnection creates enormous opportunities, but also creates enormous vulnerabilities for us as a nation, and for our economy, and for individual families," said Obama.
If passed as part of a new Consumer Bill of Rights, the Personal Data Notification & Protection Act will require companies to alert customers within 30 days of discovering a security breach of customer data.
The law is aimed at simplifying and unifying the different data breach notification laws that have been passed by several states in the past 10 years.
READ MORE ON CYBER SECURITY
- UK finally launches national cyber emergency team
- UK cyber threat sharing ahead of target, says Cert-UK
- Cyber Essentials for public sector IT suppliers: pros and cons
- Enisa gears up to focus on economic benefits of cyber security
- Unlikely bedfellows: Nato and business
- State security a challenge for global firms, says KPMG
- Why are UK micro businesses unprepared for cyber attack?
- Industrial control systems increasingly under attack, says Kaspersky
- Banks play down cyber attack levels
The proposed legislation is in response to a series of data breaches at major US retailers in which personal details of millions of customers were exposed.
Obama also outlined proposals aimed at improving student data protection. The Student Digital Privacy Act is aimed at stopping companies from selling student data to third parties for non-educational purposes.
He said parents had a responsibility to protect their children’s online behaviour and teach the best practices, but said they needed help from the companies involved as well.
Building consumer trust
The International Association of Privacy Professionals (IAPP) said US and world organisations have been given a clear indication that they will have to show US consumers that they understand the value of their data and they are prepared to treat it with care and transparency.
“Our members stand at the ready to help companies with this incredibly difficult task,” said IAPP president and chief executive Trevor Hughes.
“The amount of data that companies are collecting from consumers is increasing exponentially. From smartwatches to fitness trackers to home automation technology and internet-connected televisions, technology companies are closer than ever to people’s most private spaces.
“That can create anxiety and unease for consumers unless they have deep trust in the companies they’re doing business with. IAPP members are trained to help companies create that trust and make sure it’s not violated,” he said.
According to Hughes, the IAPP’s 20,000 members span the globe, working with organisations of all kinds to adhere to data privacy regulations and create cultures of privacy awareness.
Privacy and transparent handling of data is vital for innovation, creativity and a vibrant digital marketplace
Trevor Hughes, IAPP
“Privacy and transparent handling of data is vital for innovation, creativity and a vibrant digital marketplace. We are seeing countries around the world become increasingly sensitive to privacy issues and the digital world. It is vital that organisations understand privacy and all its nuances and factor it into their growth plans and risk assessments,” he said.
The Internet Security Alliance (ISA) said it was pleased that the Obama administration is enhancing the incentives for information sharing.
“We are delighted they are also reviewing the entire information-sharing architecture, which is stuck in a 20th century industrial model,” said ISA president and chief executive Larry Clinton.
“We also welcome the administration’s and, we hope, Congress’s, new focus on cyber crime. While protecting critical infrastructure from catastrophic cyber attack is obviously important, 95% of all cyber attacks are economic in nature – mostly theft – yet we successfully prosecute less than 2% of cyber criminals,” said Clinton.
“Policy makers have spent too much time and rhetoric blaming the victims of cyber attacks and not nearly enough empowering and resourcing our law enforcement agents to go after the criminals themselves,” he said.
According to the ISA, the main problem with the current information-sharing structure is its inability to reach small and mid-sized enterprises (SMEs) with easily actionable information.
ISA is calling for a an alternative cross-sector model that will make use of the economies of scope and scale larger firms have to make things easier and cheaper for smaller firms to fend off cyber attacks.
Commentators have made similar statements regarding the UK government’s Cyber Essentials Scheme aimed at encouraging all UK companies to raise their level of cyber security.
“The steps being announced this week are good, but not nearly enough. Our cyber platform is inherently weak and getting weaker with the explosion of mobile devices and the internet of things,” said Clinton.
“The attackers are getting better as techniques confined to nation states a few years ago are now being used by common criminals,” he said.
Clinton highlighted the fact that all the economics of cyber security favor the attackers because attacks are easy and cheap to access, and profit margins are great.
“On the other hand, defence is hard – a generation behind the attackers – and law enforcement is currently inadequate. Better information sharing would be good, but no one should think that is anywhere near enough to address our growing cyber security problems,” he said.