White House Calls for Data Security, Emphasizes Importance of Protecting Consumer Data
Written by G.S. Hans
Last Friday, President Obama signed an executive order mandating upgrades to federally issued credit cards and government payment systems in an effort to mitigate data breaches, such as the many publicized breaches that have affected large U.S. companies this year. The executive order only applies to federal entities, but the president also took the opportunity to highlight steps that industry will take to help protect individuals. Several affected companies will roll out “chip-and-pin” terminals at their stores, and the major credit card companies will also participate in updating technology and educating businesses and consumers about how to better protect their data. We hope that such outreach will include community groups and consumer advocates in order to directly reach affected individuals. These steps are welcome and should more effectively protect individual privacy and data records.
The president also called for federal data breach legislation. According to the White House, such legislation should clarify consumer expectations regarding what happens when data breaches occur and what steps companies must take to notify customers. At present, nearly every state in the U.S. has enacted data breach legislation, and we at CDT have been concerned about whether a federal law would more effectively protect consumers, especially if it preempts state laws. A federal law could theoretically be weaker than the stronger state laws, arguably reducing rather than augmenting the current protections most consumers enjoy, given that some companies may prefer to comply with federal laws rather than enact state-by-state programs. Previous federal data breach bills have had this problem, which is why we haven’t supported them. Meanwhile, states like California (which recently updated its data breach law to require notification to be in plain language) are continuing to revise their data breach laws to adapt to new threats. Given the slow-moving nature of federal legislation, data breach may be an issue best left to the more nimble state legislatures.
On the other hand, a single law could reduce compliance costs for companies and might more effectively communicate to consumers what protections they can reasonably expect. One way to ensure that a federal law doesn’t weaken the current state of consumer protection would be to allow for coordinated enforcement between states attorneys general and the Federal Trade Commission against companies that don’t comply with a federal data breach law. Regardless of specific provisions, any federal data breach legislation should clearly increase, rather than reduce, the level of protections for consumers.
Protecting consumer security is of critical importance in an increasingly networked world, and we’re happy to see the White House support reforms that promote responsible security. The White House’s call for greater security in commercial services came a day after the FBI Director called for mandatory security vulnerabilities. While we respect the mission of law enforcement and the challenges they face, CDT strongly opposes measures to weaken security standards, such as building backdoor access into digital services, which would stifle small businesses and put consumers at risk of data breaches. It’s good news that the White House is moving to strengthen security, but advancing a “CALEA II”-type proposal undermines this effort. We hope that the White House policy recommendations help settle these debates by arguing for the necessity of strong security measures, through corporate compliance, promoting encryption and other standards, and regulatory enforcement.