01/21/2015 03:11 pm ET Updated Mar 23, 2015

Will Obama's Latest Privacy and Identity Protection Initiatives Make a Difference?

By Neal O'Farrell, security and identity theft expert for

Maybe we'll end up calling it the Sony effect, but after years of cybercrimes and data breaches, and endless erosion of our privacy, it seems like the Sony debacle was the final straw for President Obama.

Last week President Obama proposed a raft of new legislative initiatives designed to improve consumer protections on issues like identity theft and privacy. If they're ever adopted, they might make a difference. Or maybe not.

While many experts are calling the efforts somewhat worthy, others are pointing out that they're both just a rehash of legislation previously proposed and rejected, and many are little more than voluntary codes of conduct with few sharp teeth to back them up.

Here were just some of the proposals:
  • The Personal Data Notification and Protection Act would require companies to notify customers that their personal information has been exposed in a data breach within 30 days of discovering the breach. The hope is that the sooner consumers are aware that their identity might be vulnerable, the sooner they can take defensive measures.
  • The Act would also criminalize oversees trading in stolen identities, although it's hard to imagine how that might be enforced in countries unwilling to cooperate.
  • A number of banks and credit unions have begun offering free credit scores to consumers as another way to provide early warning signs of identity theft. This would be great if credit scores actually helped identify signs of identity theft. Unfortunately, many identity theft warning signs start with the consumer's credit reports, and most of these potential warning signs have no impact on their credit scores whatsoever. The best tool for detecting identity theft is credit monitoring, which is designed specifically to alert consumers when there are potential signs of fraud or identity theft. Even then, it really only tells consumers that they're a victim after the fact, and maybe months after.
  • There will be increased efforts to increase student privacy at school, and especially the way schools and businesses collect and use student personal information.
  • Teachers will become students of security and privacy so they can better understand how to improve student security and privacy.
The announcement also referenced additional efforts by the FTC to educate consumers about how to prevent identity theft. I'm not sure how much help that will be, because the FTC's role in identity theft is often a cause for confusion for victims. Victims of identity theft are encouraged to report the crime to the FTC, but often not understanding that it's not the same as a police report, and won't result in any action by the FTC. The reporting simply helps the FTC keep track on identity theft statistics and share that information with law enforcement (who don't investigate identity theft anyway).

The devil will be in the details, where it always is. But the devil will also be in the bigger challenges, like making businesses and schools aware of what their new security and privacy obligations will be, persuading them to care enough to comply and policing them to ensure enforcement.

Another word of caution before you feel confident enough to post your Social Security Number on the side of a bus: there have been six previous attempts to pass similar legislation in Congress in just the last two years, and they all failed.

So while it all sounds like a positive, if small step forward, no one's sure if the step will ever actually be taken. If it is, will it be a tiptoe or a giant leap? Privacy and security legislation are notorious for being very, very slow -- and time is something consumers don't have the luxury of.