Obama wants firms to notify customers within 30 days of data breaches

President Obama speaks at the Federal Trade Commission on Monday. He proposed requiring companies to notify customers within 30 days of data breaches.
(Carolyn Kaster / Associated Press)

President Obama on Monday proposed the first federal standard for data breaches, which would require companies to notify customers within 30 days of the discovery that their personal information was exposed to hackers.

In a speech at the Federal Trade Commission, Obama also called for federal protection of information collected from students at school. That proposal, based on a California law enacted last year, would prevent companies from selling student data to third-party firms for purposes unrelated to education, such as sending them targeted advertising.

Obama said the hacking at Sony Pictures Entertainment and large-scale data breaches at major retailers showed the “enormous vulnerabilities” of the nation and the economy to cyberattacks.


“This is a direct threat to the economic security of Americans’ families and we’ve got to stop it,” Obama said. “If we are going to be connected, then we need to be protected.”

The initiatives come as Obama focuses this week on technology issues, including strengthening cyber security and increasing Internet access, that he will tout in his Jan. 20 State of the Union address.

One of his proposals is the Personal Data Notification and Protection Act, which the White House said would “help bring peace of mind to tens of millions of Americans whose personal and financial information has been compromised in a data breach.”

Target Corp. and Home Depot Inc. are among the retailers that have reported large data breaches.

Obama said the proposal to require customer notification of such breaches within 30 days would “create a single, strong national standard” so consumers know when their information is stolen and make it easier for companies to deal with such hacks.

Currently, a patchwork of state laws govern data breach notification. But some of those laws are tougher than Obama’s proposal.


California, for example, requires notification of customers when a company discovers their information has been acquired by unauthorized parties. Companies must make the notification “in the most expedient time possible, without unreasonable delay,” a standard many states have.

The White House also said that two of the nation’s largest banks, JPMorgan Chase & Co. and Bank of America Corp., will join other financial firms in making credit scores available for free to their credit and debit card customers.

Obama said privacy and data security are not partisan issues and expressed hope that Republicans in Congress would work with him.

Sen. John Thune (R-S.D.), who became chairman of the Senate Commerce Committee this month as Republicans gained control of the chamber, said he would work with Obama on the issues.

Thune is among congressional leaders scheduled to meet with Obama at the White House on Tuesday. Thune said he expected they would discuss Obama’s call for a federal data-breach notification standard, as well as legislation to improve the ability of private companies to share cyberthreat information.

Key House Republicans also said it was time for Congress to act.

“Consumers shouldn’t have to hold their breath and cross their fingers every time they swipe a card or enter information online. Cyber crime is a real and escalating concern for the American people, and recent high-profile security breaches have only reinforced the urgent need for congressional action,” said Rep. Fred Upton (R-Mich.), chairman of the House Energy and Commerce Committee, and Rep. Michael Burgess (R-Texas), who heads a subcommittee that oversees the Federal Trade Commission.

For breaking economic news, follow @JimPuzzanghera on Twitter