President Barack Obama
on Monday will call for federal legislation intended to force U.S. companies to be more forthcoming when credit card data and other consumer information is lost in an online breach like the kind that hit Sony
, Target and Home Depot last year, White House officials said Sunday.
The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked. In a speech scheduled for Monday at the Federal Trade Commission, Obama is expected to say that the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country.
The president will also propose the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software, officials said. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an "early warning system" for identity theft.
"As cyber-security threats and identity theft continue to rise, recent polls show that nine in 10 Americans feel they have in some way lost control of their personal information - and that can lead to less interaction with technology, less innovation, and a less productive economy," according to a White House briefing document on the proposed legislation.
Monday's announcements are part of a weeklong focus on privacy and cyber-security by Obama ahead of his State of the Union address next week. White House officials said they expected bipartisan support for the initiatives and did not anticipate fierce opposition from industry or advocacy organizations.
But on Capitol Hill, Obama faces a Republican-controlled Congress for the first time in his presidency. It remains unclear how quickly his adversaries in the House and the Senate will move to take up the cyberlegislation, and whether disputes in other areas could delay their consideration.
Consumer and privacy groups have yet to see details of the president's proposals, and some remain concerned that any federal standard could be weaker than the robust state laws passed in recent years. California, for example, recently passed a state law protecting student data.
"The problem is that the effect will likely be to pre-empt the stronger state laws," said Marc Rotenberg, the president of the Electronic Privacy Information Center, who favors disclosure faster than 30 days. "We want a federal baseline, and leave the states with the freedom to establish stronger standards."
Chris Calabrese, the senior policy director for the Center for Democracy and Technology, said that his group had not rejected the idea of a federal law, but that it depended on how it was written. "There is a lot of concern in the advocacy community about the possibility of a federal law being watered down," Calabrese said.
Corporate data breaches have gained urgency since attacks on Sony Pictures that officials say were done by the North Korean government. Under the proposed law, the discovery of a breach would trigger a "30-day shot clock" that requires notification. The legislation clarifies when breaches must be disclosed and makes it a crime to sell a person's cyberinformation overseas. The Federal Trade Commission would get the power to issue penalties to companies that do not comply.
"There's a crazy quilt patchwork of 48 state laws, and they are in tension with each other," said Jon Leibowitz, a partner at the Davis, Polk law firm and the former chairman of the Federal Trade Commission under Obama. "This is not a flash point, ideological battle here. It could be the kind of legislation that protects privacy, protects consumers and actually has a chance for getting enacted."
The administration's student privacy effort comes as schools across the country are adopting digital education products - including math textbooks and online homework portals - that can collect information about a student's every keystroke. The premise behind the data collection is to customize lessons to the academic needs and learning preferences of each child.
But these data-mining practices have begun to trouble some parents, who say they are concerned that education technology companies could potentially collect - and later share - sensitive details about, for example, a child's disciplinary record or a family's financial status.
To alleviate those kinds of concerns, California last summer enacted a comprehensive education privacy law that largely prohibits companies from collecting student information for advertising and marketing. Children's advocates applauded Obama's plans for a similar law.
"You can't have all this potentially positive use of technology in schools without privacy protection for students, their families and teachers," said James P. Steyer, the chief executive of Common Sense Media, a children's advocacy and media ratings group in San Francisco that has partnered with Google, Apple, Amazon and other companies that distribute the group's educational materials.
© 2015 New York Times News Service