Obama proposal: Hacked companies must notify customers within 30 days

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.


WASHINGTON — In a State of the Union preview, President Obama on Monday is expected to demand quicker confessions from companies that lose your data as well as better privacy for students.

One proposed law would give a company 30 days to let you know if your personal information — such as your address or Social Security number — has been exposed by hackers or careless employees.

The Personal Data Notification & Protection Act is an attempt at a nationwide, uniform rule. Right now, there are 47 different state laws that govern data breaches. Depending on the situation, people in some states get notified, while others are left in the dark. It’s a mess.

Data breaches are increasingly common. Last year, hackers broke into Home Depot, Albertson’s and so many others that CNNMoney developed its own tool: What hackers know about you.

The president’s other proposed law, the Student Digital Privacy Act, is meant to stop the sale of sensitive student data for non-education purposes. Now that students routinely use laptops, tablets and computer programs at school, lots of that data is being collected — and sometimes sold to advertisers and financial companies.

The fear? That information might be used by money lenders to prey on students — or by colleges or future employers to judge students unfairly.

The president will also endorse the “student privacy pledge” already signed by 75 firms including Apple and Microsoft. It’s a promise by companies to only use student data collected at school for education purposes, not observe behavior to target advertisements and not keep data for long.

Obama will speak about the proposed legislation at a midday speech Monday before the Federal Trade Commission, according to a White House spokeswoman. The president also plans to mention them during his State of the Union speech on Jan. 20.

The administration cited a recent poll that showed 91% of Americans feel they’ve lost control of their personal information. Last year was so riddled with cyber break-ins that, early on, half of American adults had their personal information exposed.

“That can lead to less interaction with technology, less innovation, and a less productive economy,” the White House said in a statement.

Other privacy and security bills

The national consciousness for cybersecurity peaked with the Sony hack over the holidays.

As a result, expect to hear a lot more about privacy and cybersecurity from politicians in 2015. Some in Congress are trying to revive a controversial cybersecurity bill that increases information sharing between companies and government to stop hackers.

The nameless bill, H.R. 234, was introduced to the House of Representatives on Friday by C. A. Dutch Ruppersberger, a Democrat from Maryland.

It’s essentially another go at the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House in 2012, but got knocked down in the Senate.

The idea is to provide basic rules to develop closer bonds between law enforcement and all types of companies: banks, energy providers, retailers, etc.

When hackers attack an industry, companies already share some information. But they often hold back data, afraid to give competitors an edge or admit they were hacked. Also, the tips they get from the FBI and Department of Homeland Security are late and vague, because few companies have permission to know “classified” government secrets.

This proposed law would protect firms from lawsuits related to this kind of data sharing and make them government insiders. But these ideas scare privacy advocates, because they could be used as a blanket excuse for snooping on your personal life. That’s why President Obama threatened to veto it the first time around.