President Obama announced his support for new rules on hacking and privacy today, previewing policy proposals he will make in his State of the Union address on Jan. 20. During the speech, hackers hit two high-profile U.S. government targets, gaining control of the Twitter and YouTube accounts of the United States Central Command (CENTCOM) and posting a series of taunting messages.
While the hacks on Monday appeared relatively superficial and limited to CENTCOM's presence on third-party social media sites, the proposals from Obama targeted incidents where digital intruders access the inner workings of a company's computer systems and steal personal data. When companies get hacked like this, executives, employees, law enforcement, and contractors can often find out about the incident long before the customers whose data has been breached.
Obama today called for a single federal standard on notifying customers that their data has been breached, within 30 days of the hack.
"This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard," the White House said today.
The president's proposed legislation would be based on California's existing — and quite strict — rules for cyberattack notifications. California even sued the health care provider Kaiser over a slow response to a customer data breach. Sony, however, did not formally notify the state of its own massive hacking attack two weeks after it occurred, BuzzFeed News reported last December, but did extensively notify current and former employees about the release of sensitive personal and financial information.
"We shouldn't have to forfeit our basic privacy when we go online to do business," Obama said.
Two state attorneys general have probed JPMorgan Chase's notification of customers after 76 million households had some account data exposed, and some states, like California, have even sued companies for delayed data notification.
"Major companies get hacked, Americans' personal information, including financial information, gets stolen, and the problem is growing and costs up billions of dollars," Obama said in his remarks today.
The president will also propose new rules around student privacy, including a "Student Digital Privacy Act" that would ban companies from "selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school." The bill would build on private sector efforts to assure students and parents that student data won't be misused. Seventy-five companies have signed a pledge organized by the Future of Privacy Forum and Software & Information Industry Association, but two big players in educational technology — Google and Pearson — have not joined. Obama said companies should commit to not selling student data for commercial purposes "because it's the right thing to do."
When the pledge was first released in October, Apple was not a signatory, but have now signed on.
"We are proud to stand with President Obama in support of student privacy. Our products are designed with security and privacy in mind so it's easy for parents and educators to set restrictions on devices," an Apple spokesperson said in a statement. Apple's education business has long been part of the DNA of the company and the have sold over 13 million iPads to school districts.
"We want to prevent companies from selling student data for any other purpose than education." Obama also said the Department of Education would "work with" schools to protect student data. "Some companies use educational technology to collect student data for commercial purposes," Obama said, "like targeted advertising."
This piece has been updated with a comment from an Apple spokesperson.