In the president's State of the Union address, he made only passing -- but significant -- reference to data security and new legislation to protect consumers. No one would argue that this is needed in the wake of the North Korean attacks on Sony and other attacks throughout the past year on Target, eBay, JP Morgan, Home Depot and others.
The president likened the cyberattacks on data to terrorism, stating:
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism."
The recent hack on Sony and it's link to foreign governments has ushered in a wave of fear that has compelled our government to act. And yet, new legislation always brings with it new concerns.
While I share president Obama's goals, I fear the complexities of data security could lead to solutions that don't solve the problems -- or actually could make the problems worse. Not to mention the companies who trade in data will now have the opportunity to lobby for legislation making new proposals a battleground where what's right and fair to the consumer is not always obvious.
Any new legislation raises questions: will this legislation actually go far enough to protect consumers or will it gut stronger state laws and let businesses avoid or delay the task of actually informing their customers of data breaches?
Then there's the flip side of the data security coin. Will new data security legislation be the Patriot Act for a new era allowing the government unfettered access to our data in the name of protecting us?
Unfortunately, the current drafts of proposed legislation do little to assuage these serious concerns. Upon review, the legislation looks to take priority over state laws, even if those laws are stronger than the federal initiatives.
In the days leading up to the State of the Union address, president Obama announced new legislative measures to "create a single, strong national standard so Americans know when their information has been stolen or misused." As part of the new proposal, the Personal Data Notification and Protection Act would purportedly "help bring peace of mind to the tens of millions of Americans whose personal and financial information has been compromised in a data breach."
Such measures are welcome if they provide a baseline for states that don't already have data breach laws (currently 48 out of 50 states do have laws on the books), but would be intrusive if they pre-empt state laws, since many states have stronger laws than the current proposed draft.
Case in point, the latest proposal will require businesses to notify data breach victims within 30 days of a breach—a timespan many privacy experts consider far too large. California and Connecticut, on the other hand, have a five-day window, which gives data breach victims a better opportunity to quickly respond and take protective measures against possible attacks on their credit and identity.
This begs the question: if passed, will the new legislation do anything to actually protect consumers? The current drafts outline stronger sentencing for anyone engaged in hacking -- including those working for firms hired by companies trying to find holes in their security. These good guys would be treated like criminals for doing exactly what the laws are intending -- protecting data.
Which leads us back to the question: do these proposals do anything to actually protect our data? The answer, sadly, is "not likely." The problem is that current proposals only deal with the aftermath and what happens after a data breach.
Solutions for what can be done lie with the businesses and corporations that maintain and house consumer data. This is where legislation would be of the greatest help: incentivizing businesses to better protect their customers from lost data and identity theft by enforcing and adopting stronger data security measures. This could mean developing new data security technologies, mandatory data security training for staff, or adopting new user identity measures altogether. If legislation were to hold companies more accountable for protecting customer data, more companies would make protecting data a number one priority. Until that happens, we're just putting out fires.
Consider this: the best chance we have at protecting ourselves is ourselves. That means being more aware of how we share and store our personal information. It means educating ourselves so that we understand how thieves access and use our information against us to commit fraud and take over our identities. It means proactively monitoring our credit reports and reviewing financial accounts for signs of fraud or identity theft. We may not be able to prevent a data breach, but we can take protective measures to minimize our risk of becoming a victim.