Sunday, November 23rd, 2014

Rating Obama's promises on cybersecurity

As Obama nears the end of his first term, we're checking to see if he's kept his campaign promises. (2012 AP Photo)
As Obama nears the end of his first term, we're checking to see if he's kept his campaign promises. (2012 AP Photo)

President Barack Obama promised during his 2008 campaign to mandate standards for securing personal data and to require companies to disclose data breaches.

They’re both consumer-friendly goals that get talked about a lot. But passing them into law? That’s another story.

PolitiFact, the Times’ national politics fact-checking website, has compiled more than 500 of Obama’s campaign promises and is tracking their progress on our Obameter.

The Obama administration unveiled an expansive cybersecurity proposal last year that said business entities holding records on more than 10,000 individuals during any 12-month period would be required to alert people in the event of a data breach, "unless there is no reasonable risk of harm or fraud to such individual."

The White House said a federal disclosure law would help businesses "by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements."

"The president put a lot of effort into developing a comprehensive and generally widely-praised privacy protection platform," said Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group. "We want it stronger; industry wants it weaker, but it is pretty substantive."

Obama’s platform remains in the proposal stage. Other aspects of the cybersecurity debate have kept Republicans and Democrats from passing legislation.

The 2009 Data Accountability and Trust Act would have required "reasonable security policies" to protect personal information. It passed the U.S. House of Representatives but died in the Senate. Similar bills met the same fate.

"The privacy issue is tied up on the Hill for a variety of reasons -- partly because privacy and consumer groups do not want it to preempt stronger state laws, but industry special interests do; because those industry groups also want it to be watered down as well as ensure that it preempts all stronger state laws," Mierzwinski said. "Those special interests want to defeat any privacy law that might impact their wild-west use of personal information on the Internet."

The fight in Congress has dragged on so long that the Obama administration is now reportedly considering an executive order on cybersecurity, although it’s not clear such an order would include a data breach disclosure requirement.

What’s more, executive orders generally are not as strong as legislation.

The executive order "only initiates agencies to start policies and practices. Most likely it won’t require public disclosure. It may not even mandate private disclosure to the government," said Mark Jaycox, policy analyst with the Electronic Frontier Foundation, a think tank dedicated to free speech, privacy and consumer rights issues.

Because there’s no new requirement on the books for companies to disclose data breaches, we rate this a Promise Broken.

But an executive order could be effective for setting standards for securing personal data, at least for companies that interact with the federal government. So we leave this promise rated In the Works.