Despite the Hype, SOTU Is Light on Cyber Security Plans

Since President Obama’s speech at the U.S. Federal Trade Commission (FTC) on January 12, there’s been a lot of discussion about new U.S. cyber security proposals, regulations, and even cyberwar games with the UK. The assumption was that the State of the Union address would serve as a platform to reveal solid details and plans associated with these initiatives. Unfortunately, that’s not what happened.

President Obama certainly did touch on the issue, delivering what The Washington Post termed a “solid quote” about the topic:

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.

But that was about it for cyber security legislation (though other tech topics did get similar levels of lip service, including Net Neutrality). As a result, the ideas shared with the FTC provide the most details to date about the President’s data security initiatives, which include the following:

• Addressing identity theft issues – Proposed Personal Data Notification & Protection Act legislation would establish a maximum 30-day window between discovery of data breaches and notification of affected consumers, and would criminalize “illicit overseas trade in identities.” The President has also called on companies like JPMorgan Chase and Bank of America to partner with FICO in giving cardholders access to their credit scores for free.
• Protecting student data – New Student Digital Privacy Act legislation, if passed, would include measures to ensure that data collected for educational purposes would be restricted to that use, preventing companies from selling student data to unrelated third parties and/or using collected data to target advertising efforts. The President has also urged organizations to voluntarily sign the Student Privacy Pledge, an initiative committed to safeguarding student data. As of early January 21, the pledge had 91 signatories from the likes of Apple, Microsoft, and Google.
• Online privacy additions to the Consumer Privacy Bill of Rights – Updates to this 2012 set of principles would focus on “online interactions,” and the President is hoping to turn these proposals into laws.

Though the spotlight on cyber security and identity theft protection is welcomed by most organizations that are grinding it out day-to-day on the breach battleground, the initiatives have been met with speculation and criticism by some policymakers and industry experts alike. With gray areas still to be colored in, it remains to be seen what these federal-level proposals will look like in their final renderings. And with New York Attorney General Eric Schniderman’s data security proposals hitting the press hot on the heels of President’s Obama’s agenda, it will be interesting to see the race to the finish — and who really comes out ahead at the finish line.

Want to strengthen your cyber security posture? Our research with the Aberdeen Group reveals that our security education solution can reduce the risk of a breach by up to 50%.