President Obama Unveils Cybersecurity Proposal Creating a Federal Standard for Consumer Notification

January 15, 2015

This week, President Obama called on the United States Congress to pass cybersecurity legislation by issuing a proposal of his own, which he plans to discuss during the State of the Union Address on January 20, 2015.

The President’s proposal aims to “clarify and strengthen the obligations companies have to notify customers” of a data breach by creating a federal standard, requiring companies to notify affected consumers within 30 days after a data breach is discovered. The proposal also encourages the sharing of cyber threats between the private sector and federal agencies by providing liability protection to participating companies. Additionally, the President’s proposal would give law enforcement agencies broader power to investigate and prosecute cybercrimes. Several existing laws would be modernized to cover cybercrime, including the Racketeering Influenced and Corrupt Organizations Act (RICO), whose provisions and penalties would be applied to cybercrimes, and the Computer Fraud and Abuse Act, which would be updated to cover corporate insiders who abuse confidential information.

Currently, 47 U.S. states and several U.S. territories have their own individual cybersecurity breach disclosure laws. State law protections differ, causing varied compliance responsibilities by companies that experience a data breach. For example, some laws allow companies an extension of time to notify consumers when disclosure could impede a state criminal investigation. See, e.g., Cal. Civ. Code §1798.82(c); Del. Code. tit. 6, §12B-102(c). Other state laws allow substituted notice when notification of a breach is cost prohibitive, or may limit notification to the residents of the state in which the breach occurred. See Mich. Comp. Law §445.72(5)(d); Mo. Rev. Stat. §107.1500(2)(6)(d); Va. Code § 18.2-186.6(A)(4).

So far Congress has been unable to agree upon a national cybersecurity standard.  Importantly, it remains to be seen whether the business community views this proposal as streamlining the patchwork of state notification laws, or if a national standard is seen as creating additional regulatory burdens on businesses.  Additionally, it remains uncertain whether federal agencies will have the exclusive authority to investigate cybersecurity breaches under the President’s proposal.

Dykema’s cybersecurity team will continue to monitor actions by the President and Congress to keep you informed of new cybersecurity compliance obligations. For more information on this article or cybersecurity legal obligations generally, please contact Jonathan Feld at (312) 627-5680, Susan Asam at (313) 568-5332, any of the attorneys in Dykema’s cybersecurity practice group, or your relationship partner.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2021 Dykema Gossett PLLC.