WASHINGTON -- On Monday, President Barack Obama urged Congress to pass new measures to protect Americans online, including requiring U.S. companies to notify customers more quickly when consumer personal information is hacked.
"If we're going to be connected, then we need to be protected," Obama said at a speech at the Federal Trade Commission offices, noting he may be the first president to visit the agency since former President Franklin D. Roosevelt.
"As Americans, we shouldn't need to forfeit our basic privacy when we go online to do our business," he added.
Obama is asking Congress to pass the "Personal Data Notification and Protection Act," legislation that would require companies to notify customers within 30 days of the discovery of a breach if sensitive information is exposed. The legislation would empower the FTC to slap penalties on companies that don't comply, according to The New York Times, and also make it a crime to sell stolen identification information abroad.
The president's announcement arrives following a number of successful, high-profile hacks against American companies, including a cyberattack against Sony Pictures in November, which the U.S. government said was perpetrated by North Korea.
Last September, Home Depot announced hackers had breached customers' sensitive information months earlier, an attack believed to have compromised over 50 million customer credit card accounts and email addresses. The year before, tens of millions customer accounts were breached at Target.
The cyberattacks have raised questions about the extent to which companies are responsible for stolen data. Sony, Home Depot and Target were all hit by lawsuits addressing how they handled the hacks.
In addition to asking Congress to address cyberattacks, Obama is asking it to pass the "Student Digital Privacy Act," a bill that aims to protect student privacy by barring companies from selling student data to third parties for purposes unrelated to education, like advertising.
Last year, Google came under fire for scanning emails students sent on Google Apps for Education, and using that information for advertising. Google has since announced it has ceased the practice. Obama's proposal is modeled after a student privacy law that California passed recently.
Jeffrey Chester, executive director of the Center for Digital Democracy, said the student privacy bill appeared to be "promising," but echoed concerns from other privacy advocates that the data breach legislation will overwrite stronger state laws. According to Gizmodo, for example, California and Connecticut require data breach notification within five days for certain kinds of hacks. Chester said consumers should be notified "right away" when their information is hacked, not within 30 days.
"If pre-emption must be included in federal data breach notification, then the law must at least rise to the level of the strongest state protections," added Amie Stepanovich, senior policy counsel at Access, which supports the U.S. government's attempt at data breach notification legislation. "This would ensure the continued strengthening, and not the erosion, of users' rights."
Obama announced a number of other privacy-oriented measures, including the release of a revised legislative proposal of the 2012 Consumer Privacy Bill of Rights within 45 days. He also will be expanding information-sharing so that the feds can regularly provide evidence of hacking to affected companies.
"We pioneered the Internet, but we also pioneered the Bill of Rights and a sense that each of us as individuals have a sphere of privacy around us that should not be breached," Obama said.
Before You Go
