During his recent State of the Union address, President Obama called on Congress “to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information.” His remarks capped off weeks of heightened executive-level activity related to cybersecurity. In rapid succession, the President has proposed initiatives that include establishing a federal data breach notification standard, updating the criminal code to better combat cybercrimes, limiting how companies may use students' information, and updating cyber threat information sharing programs.

These announcements demonstrate clearly that the President will prioritize cybersecurity in 2015. Companies should begin anticipating how to comply with any new federal data security requirements that may emerge to address cybersecurity threats and protect consumers' personal information.

Federal Breach Notification Standard

Last week, the President announced draft legislation that would create a federal data breach notification standard. Currently, if a company experiences a data breach, a consumer may receive notification, but only according to the requirements of a patchwork of state laws that may or may not apply. Although a draft bill has yet to be released, the President has called for the establishment of a 30-day notification requirement from the discovery of a breach.

Combatting Cybercrime

To assist law enforcement in fighting cybercrime, the President proposed criminalizing the overseas sale of stolen financial information, such as credit card and bank account numbers. The proposal would also make illegal the sale of common technologies used by cybercriminals, such as botnets, and empower courts to halt these operations. The President has also called for updates to the Computer Fraud and Abuse Act (CFAA) to clarify that the CFAA applies to insiders who abuse their access to protected systems.

Limiting Use of Student Data

The President also plans to submit a Student Digital Privacy Act, which would limit the use of information collected about students through educational software, for congressional consideration. He advocates for student data to be used solely to improve educational outcomes or to improve educational technology. Under this proposal, companies would not be able to use or sell data collected from classroom learning tools for targeted advertising. The President would also require companies collecting student data to have reasonable security measures in place to protect this data. In addition, the President noted that the Department of Education will be providing new tools to help schools and teachers work with technology companies to protect student privacy, and he praised the 75 companies that have signed the Student Privacy Pledge.

Improving Cybersecurity Threat Information Sharing

President Obama has also announced, in conjunction with U.K. Prime Minister David Cameron, enhanced international collaboration to combat cyber threats. These efforts will include better information sharing, joint cybersecurity exercises, and collaboration on security research.

Domestically, the President has proposed a number of initiatives to promote better cybersecurity information sharing between the private sector and the federal government, as well as enhance collaboration and information sharing within the private sector. Under the President’s proposal, businesses would share information with the National Cybersecurity and Communications Integration Center, which would then distribute the information in real time to federal agencies and the private sector-led Information Sharing and Analysis Organizations. Companies that share threat information would receive “targeted liability protection” as long as they took measures to protect consumers' personal data when sharing the information.

White House Summit on Cybersecurity and Consumer Protection

The President has announced that on February 13, 2015, the White House will host a Summit on Cybersecurity and Consumer Protection at Stanford University. Topics at the summit are expected to include increasing public-private partnerships and cybersecurity information sharing, creating and promoting improved cybersecurity practices and technologies, and improving adoption and use of more secure payment technologies. The White House announced that federal officials and industry stakeholders will be able to participate in keynote speeches, panel discussions, and small group workshops that will focus on improving cybersecurity practices at a wide range of companies.

Consumer Privacy Bill of Rights

The President plans to introduce legislation to codify a Consumer Privacy Bill of Rights, a draft of which was initially released in 2012. The draft legislation in part called on companies to provide consumers with access to and control over their personal data that a company collected; to provide consumers with easily understandable privacy policies; and to use appropriate security safeguards to protect consumers' personal data. The Commerce Department has recently completed a public consultation process to update the legislation. The revised proposal is expected to be released within the next two months.

Department of Energy Cybersecurity Initiatives

The Department of Energy released its Voluntary Code of Conduct for utilities and third parties collecting information about consumers' energy usage, such as through smart grid-enabled meters and appliances. The Code calls on utilities and third parties to provide consumers with notice and choice about their energy usage information collection practices, access to collected information, and the reassurance that reasonable security measures are in place to protect the collected information. While voluntary, the Code demonstrates regulators' expectations for when utilities and third parties use new technologies to collect information about consumers' energy habits.

The President has also announced that the Department of Energy will provide $25 million in grants over the next five years to support a cybersecurity education consortium consisting of 13 historically black colleges and universities and two national labs.

Given the heightened federal attention to threats against consumers’ personal and financial information, cybersecurity could become an area for political consensus this year. Companies should be monitoring any federal developments and be prepared to enhance their existing privacy and data security policies and procedures to address new statutory or regulatory requirements. Ballard Spahr's Privacy and Data Security Group monitors legislative and regulatory developments at both the federal and state levels and can assist with establishing cybersecurity programs.

If you have questions about this alert, please contact Philip N. Yannella at 215.864.8180 or yannellap@ballardspahr.com, or Daniel JT McKenna at 215.864.8321 or mckennad@ballardspahr.com.

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Privacy and Data Security