The president’s plan to tackle cybersecurity issues—expected to be one of his big initiatives in 2015—drew mixed responses from the association world this week. While retail and financial groups welcomed the proposals, a key privacy group questioned whether they focus on the right things.
Data security, an issue that’s long been near the top of the heap for trade groups across the spectrum, just hit a higher spot on President Barack Obama’s own to-do list.
On Tuesday, the president announced a major initiative on consumer privacy and renewed his push for a Consumer Privacy Bill of Rights. But the big talker for many trade groups is the proposed Personal Data Notification and Protection Act, new legislation that would require companies to notify consumers within 30 days when their personal data has been exposed.
“We’ve got to stay ahead of those who would do us harm. The problem is that government and the private sector are still not always working as closely together as we should,” Obama said, according to a Reuters report.
Associations had varying reactions to the proposals.
Financial groups are supportive. The Financial Services Roundtable (FSR), a key advocate for action on data security issues, spoke strongly in favor of Obama’s proposal. “It is critical companies have the tools they need to battle cybercriminals and shield customers from breaches. Strong information-sharing laws will be a critical part of winning that battle,” FSR President and CEO Tim Pawlenty said in a statement. “Cybercriminals, hactivists, and terrorists aren’t resting and neither should Congress.” The Electronic Transactions Association praised the initiative as a way to avoid a patchwork of state rules. “We’ve long supported the idea of unifying under a single national standard — that’s good for the financial industry,” Jason Oxman, ETA’s CEO, told American Banker.
Retail industry highlights information exchange. Retail outlets are common targets for cybercriminals, and the industry has laid the groundwork for vital information sharing, said Nicholas Ahrens, vice president of privacy and cybersecurity for the Retail Industry Leaders Association. “Collaboration between industry and government to share threat information is crucial in the fight against sophisticated and persistent cyber criminals,” Ahrens said in a statement. “Retailers have made great strides setting up the Retail Cyber Intelligence Sharing Center (R-CISC) and facilitating threat information sharing, both within the industry and also with the government.” The clearinghouse opened last year.
Privacy groups are wary. One notable critic of Obama’s plan is the Electronic Frontier Foundation, which supports action on cybersecurity but says the president’s plan is old news. “Many of these proposals are old ideas from the administration’s May 2011 cybersecurity legislative proposal and should be viewed skeptically,” EFF’s Mark Jaycox and Lee Tien wrote in a blog post. In comments to the National Journal, Jaycox added that it would be better to encourage use of existing information-sharing systems.
Are incentives needed? Considering the sensitivity of releasing breach information, it may not be easy to persuade companies to get behind the notification proposal. That’s led some security experts to suggest that incentives, such as lighter regulations and an inside track to government contracts, might be necessary to get companies to play ball. “The administration has been reviewing these for quite a while now and we are hopeful they will be coming out with a proposal of their own in that direction fairly shortly,” Internet Security Alliance president Larry Clinton told Bloomberg earlier this week.