In a speech given before the Federal Trade Commission (FTC) on Monday, January 12, President Obama proposed federal legislation that would impose a nationwide standard on companies that experience a data security breach. The proposed Personal Data Notification and Protection Act would require businesses to notify their customers within 30 days of discovering a breach of personal information.
Implementation of a national data breach notification standard under the president’s proposal promises to eliminate the current patchwork system of varying state laws on the topic. However, it is unclear at this time whether the proposed legislation would expressly preempt state data breach laws or whether the legislation would still permit states to enact and to continue to enforce stronger laws. Either way, a national standard for responding to a data breach or hack is expected to ease the burden on companies to comply with notification requirements.
The proposed bill would provide the FTC with the power to enforce the new law (if passed) and to issue penalties to companies that fail to comply. Further, the proposed bill would criminalize the international trade of illegally obtained personal information.
Also today, President Obama proposed a Student Digital Privacy Act that would prohibit companies or institutions from selling student data collected in the educational context to third parties for non-educational purposes. The issue of how companies may use student data is gaining attention because of the increasing prevalence of online educational services, Internet-connected learning devices, such as tablets, which are now in use even in early education settings. These types of software and hardware typically record huge amounts of data about their student-users. The proposed legislation would eliminate the risk of the students’ data being released or sold in the future and would encourage the continued use of technology in education by increasing confidence in the security of student data.
These recent proposals serve as a reminder for all businesses to routinely review and update their data security protocols to remain compliant with changes in the law. Further, businesses must consistently implement and enforce their data protection policies. All businesses must take reasonable and appropriate measures to protect personal information against unauthorized access. Companies that receive any indication that their data security might have been compromised should immediately consult with legal and technical experts to limit the damage and ensure compliance with the evolving data security laws.
Ogletree Deakins and the attorneys in its Data Privacy Practice Group continually monitor new standards in data security compliance and regularly counsel their clients on such topics.
Andrew E. Silvia is an associate in the Boston office of Ogletree Deakins.