WASHINGTON (1/13/15)--A proposal that would provide a national notification standard for companies affected by data breaches was unveiled by President Barack Obama Monday in a speech at the Federal Trade Commission. The speech also included other proposals to protect consumer data.
"CUNA welcomes President Obama's engagement in the critical issue of data breaches," said CUNA President/CEO Jim Nussle. "We hope that any legislation that is enacted requires merchants to follow the same type of data security standards that credit unions and other financial institutions must follow, enables consumers to be notified in a timely manner and ensures that credit unions are reimbursed for costs they incur as a result of merchant data breaches--all issues CUNA has been voicing to Congress."
One piece of legislation proposed by the president is the Personal Data Notification and Protection Act. The proposal would clarify and strengthen obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach. It would also create a single, national standard for notification. (See related stories: Obama cites CUs' programs for ID theft protection; CUNA, CUs stay on top of data breach effects.)
Currently, states have a number of different laws (and proposed laws) that require companies that are victims of data breaches to notify their customers. Some require notifications to be made within a specific number of days of discovery of a breach, and others simply use terms like "as expeditiously as possible." Obama's proposal aims to create a national law with more concrete language.
Obama also proposed additions to the Consumer Privacy Bill of Rights. The administration released the bill of rights in 2012, and the U.S. Department of Commerce will release shortly the results of public consultation on potential draft legislation.
Sen. Mark Warner (D-Va.) wrote a letter to the Federal Reserve and the Consumer Financial Protection Bureau Monday, expressing concerns that federal agencies are not encouraging microchip technology in credit and debit cards in the private sector. Such measures would go a long way to prevent fraud and data theft, Warner said.
According to the White House, it will release a revised legislative proposal regarding the Consumer Privacy Bill of Rights within 45 days.
For these proposals to move forward, a bill would have to be drafted by a federal lawmaker and introduced in Congress.
Other CUNA priorities in the field of data security include:
These issues were not addressed in the president's legislative proposal.