In the lead-up to the 2015 State of the Union address, President Barack Obama announced a string of policy recommendations aimed at improving the privacy and security of data. If implemented, these proposals could affect the way many businesses run their data collection and analysis programs.
"If we don't act, we'll leave our nation and our economy vulnerable," Obama said in the State of the Union. "If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
He issued a number of policy recommendations. Most relevant to businesses is the Personal Data Notification and Protection Act, which would require businesses to notify all customers within 30 days of a data breach, and the reintroduction of the Consumer Privacy Bill of Rights, a bill Obama introduced in 2012 that would give consumers more visibility and control over how companies collect and use personal data.
The recommendations come at a time when Americans are more aware and concerned about data privacy and security than ever before. Large data breaches at Target, Home Depot and JP Morgan over the last couple years have alerted consumers to the amount of data businesses have on them and the difficulty of securing it.
Meanwhile, the Edward Snowden revelations have raised the profile of data privacy. In a November 2014 poll conducted by the Pew Research Center, 80% of social networking site users said they have concerns about advertisers and other third-party businesses accessing the data they share online.
Obama's proposals address these twin concerns. But not everyone is satisfied. Timothy Keller, a lawyer with the Minneapolis-based firm Lindquist & Vennum, who counsels business clients on data and digital asset matters, said the proposals represent a missed opportunity. At a time when Obama could have offered proposals that both strengthen consumers' digital rights and provider greater certainty for businesses, he did neither, Keller said.
"A lot of us were hoping to see federal legislation that would bring some singular control to the issue and allow businesses to know with certainty what the requirements are," Keller said. "What sticks out to me is disappointment."
He said that most businesses wouldn't mind new legislation, even if it is more stringent than what's on the books today. The key issue is certainty. Right now there is little, as state-level laws are the only guideposts, and these data security laws vary from one state to the next. Some states, like California and New York, have stringent data privacy and security laws, while others, including Alabama, New Mexico and South Dakota, have no relevant laws at all.
John Myers, managing research direct at Enterprise Management Associates, said the situation is particularly challenging for international businesses. Data privacy and security laws are stronger in places like Europe and Latin America. This means some businesses must maintain two sets of policies that direct how they use customer data.
"A lot of people around the world think data privacy rules in the U.S. are kind of the Wild Wild West," Myers said. "We are well past due for having a privacy and security discussion."
The only legal consequences for poor data privacy and security for businesses today come from the Federal Trade Commission, which has a broad mandate to police commerce in general. The agency has started becoming more active in penalizing businesses for data breaches in recent years, but Keller said this is not what the business community needs. The FTC's standards say businesses may be subject to penalties if a data breach leads to a "reasonable risk of harm" to consumers, which Keller said is too subjective to be predictable.
Furthermore, regulatory rules could be undone by future presidential administrations, which compounds the problem of uncertainty.
Given Republican opposition in Congress to much of the Obama's agenda, any proposal is unlikely to become law. Because of this, Keller thinks businesses will labor under the uncertainty of federal privacy and security laws for some time.
"Federal legislation is introduced year after year and it's gone nowhere, so I'm not optimistic," he said.
Businesses consider the ethics of data privacy and security
Data privacy and security was a hot topic in 2014
Laws around data privacy and security remain unclear