Obama Breach Proposal Draws Criticism From Many Camps

NEWS ANALYSIS: Many players in the security and privacy space welcome White House attention to the problem of data breaches, but few agree with it completely.

Obama breach proposal

The latest proposal from President Barack Obama regarding legislation that the White House plans to introduce during the current session of Congress is generally welcomed by observers, but just about everyone with an oar in that water wishes it had been somehow different.

Predictably, the Republication-led Congress wants to use its own bill (which varies, depending on whether it's in the House or Senate) while a number of states have already implemented laws on security breaches that reflect their views as to what's best for their residents.

The proposed legislation is actually part of a continuing effort to get Congress to pass meaningful legislation that would set a national standard for how companies respond to the loss of customer confidential data as a result of a breach. For its part, Congress has been dealing with legislation aimed at similar goals for a couple of years, but to date has produced no actual laws covering the issue. The closest Congress came was in the most recent term when the House passed a law that was never addressed in the Senate.

This year, with the House and Senate both being controlled by the same party, there's always the chance that some type of legislation might make it through. Whether any such legislation resembles what the White House is proposing remains to be seen.

During the president's speech at the Federal Trade Commission headquarters, on Jan. 12, he noted that current rules are being enforced by the states, and that means that there's a wealth of differing rules. The proposed national rule that's being floated would require companies that have been breached to notify anyone who is affected within 30 days. But the proposal would also invalidate state laws that are stricter than the federal standard, including rules that call for breach notifications in less than 30 days.

Marc Rotenberg, president of the Electronic Privacy Information Center, told eWEEK that he welcomes the White House's focus on data protection, but he said he worries that the end result could be weaker protection.

"If it replaces stronger state laws currently in place, that will be bad for consumers," Rotenberg told eWEEK in an email. "The White House needs to move forward 'federal baseline' legislation that leaves the states free to develop stronger standards and to innovate."

Equally serious, a number of security researchers said that the White House proposal only covers part of the problem and that more needs to be done, especially in terms of the sharing of breach data and in encouraging companies to work to prevent such breaches in the first place.

"With breaches happening more frequently and the damage getting bigger—especially when the primary threat is coming from the inside—this legislation will do little to slow down or stop the real threat," Eric Chiu, president and co-founder of cloud security company HyTrust, said in a prepared statement. "Ultimately, companies need to stop viewing security as an insurance plan; instead, they need to think of security as a part of doing business. Until that happens, we will continue to see these breaches take place."

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...