The Obameter

Mandate standards for securing personal data

"The federal government must partner with industry and our citizens to secure personal data stored on government and private systems. An Obama administration will institute a common standard for securing such data across industries."


Updates

Congress ignores Obama's plan to standardize personal data protection

President Barack Obama introduced his Consumer Privacy Bill of Rights more than four years ago and updated it in 2015, but Congress still hasn't made it law.

Obama promised in his 2008 campaign that he would establish a cross-industry "common standard" for securing personal data stored on government and private systems. Currently, personal data privacy law and regulation is a hodgepodge of narrow laws, court rulings and Federal Trade Commission decisions.

The proposed Consumer Privacy Bill of Rights Act was intended to establish a baseline standard for personal data protection. Under the proposed law, companies would have to develop internal policies for handling consumer information, and the Federal Trade Commission would make sure those policies met certain requirements.

When Obama proposed the latest version in February 2015, however, Congress didn't bite.

Many privacy advocates said the bill wasn't strong enough, giving companies too much control over their data protection standards, and that it contains exploitable loopholes. Some tech companies said the law would create burdensome regulation.

Mark Stroh, spokesman for Obama's National Security Council, pointed to the Federal Trade Commission's recent work related to consumer privacy as one way some standards have developed during Obama's years in office.

Through its decisions, the commission "has codified certain norms and best practices and has developed some baseline privacy protections," wrote law professors Daniel Solove of George Washington University and Woodrow Hartzog of Samford University in the Columbia Law Review in 2014.

The commission also regularly offers guidance for businesses about how to handle consumer information and data security.

On the federal government side, Obama issued an executive order in 2016 that established a Federal Privacy Council to develop best practices for protecting personal data on government agencies' systems.

And in 2014, he signed an executive order to make payments to and from the government more secure. At the same time, several large retail corporations, such as Target and Walmart, agreed to put chip-card readers in their stores to improve financial transaction security.

Still, there is no singular, comprehensive cross-industry standard for protecting personal data, as Obama promised in 2008. Obama tried to advance this issue, but with an unwilling Congress, he was unsuccessful. We rate this Promise Broken.

Sources:

White House, "FACT SHEET: Safeguarding Consumers' Financial Security," Oct. 17, 2014

White House, "President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts," Jan. 13, 2015

White House, "Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015," Feb. 27, 2015

White House, "Executive Order -- Establishment of the Federal Privacy Council," Feb. 9, 2016

New York Times, "Obama to Call for Laws Covering Data Hacking and Student Privacy," Jan. 11, 2015

White House, Remarks by the President at the Federal Trade Commission, Jan. 12, 2015

Columbia Law Review, "The FTC and the New Common Law of Privacy," 2014

Atlantic, "Obama's 'Privacy Bill of Rights' Gets Bashed from All Sides," Feb. 27, 2015

Email interview, NSC spokesman Mark Stroh, Dec. 12, 2016

No firm action, but issue remains a priority

Three years into his term, President Barack Obama unveiled a Consumer Privacy Bill of Rights, a set of principles aimed at guiding both consumers and companies that handle private information.

The bill of rights specifies that "consumers have a right to secure and responsible handling of personal data.”

When the White House introduced the document in February 2012, it said that the U.S. Commerce Department would bring together companies, privacy and consumer advocates, technical experts and academics to establish specific practices or codes of conduct. The goal is for those codes to become legislation, but that hasn't happened yet.

Other aspects of the cybersecurity debate -- such as how to protect power grids and computer networks from sabotage -- have gotten stuck in Congress. In July, a Senate cybersecurity bill fell eight votes shy of the 60 votes needed to move past a Republican filibuster, and subsequent attempts to bring it back for consideration also failed.

But already, personal data protection and cybersecurity are shaping up as priorities in the next Congress.

Congressional Quarterly Today reported in September that Rep. Zoe Lofgren, D-Calif., introduced two bills that address consumer privacy and Internet governance issues. One of the measures lays out proposals "to update electronic privacy law that predates the Internet so that consumer emails and electronic data are protected from unwarranted government surveillance.”

CQ said that Lofgren acknowledged the bills were unlikely to pass this year and she plans to reintroduce them in the 113th Congress.

Lacking action by the current Congress, however, Obama has reportedly drafted an executive order governing an array of cybersecurity issues. The move has drawn criticism from some Republicans, but it's a sign that tackling Internet privacy and protecting the nation's computer networks remain a high priority. We'll watch for more solid progress on this front and leave the needle at In the Works.

Sources:

Forbes, "President Obama's Consumer Privacy Bill of Rights,” Feb. 23, 2012

WhiteHouse.gov, "We Can't Wait: Obama Administration Unveils Blueprint for a 'Privacy Bill of Rights' to Protect Consumers Online,” May 12, 2011

CQ Today, "Tech Priorities for Next Congress Begin to Appear,” Sept. 26, 2012

Bloomberg News, " Limits Seen in White House Cybersecurity Executive Order,” Sept. 28, 2012

Email interview with Mark Jaycox, policy analyst with the Electronic Frontier Foundation, Nov. 16, 2010

Associated Press, "Draft order seeks to improve US digital defenses,” Sept. 10, 2012

THOMAS, Cybersecurity Act of 2012, introduced July 19, 2012

Email interview with Eric Schultz, White House spokesman, Nov. 14, 2012

Bills introduced in Congress would mandate standards for personal data

On April 30, 2009, Rep. Bobby Rush, D-Ill., chairman of the Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection, introduced H.R. 2221, the Data Accountability and Trust Act of 2009. One of the main purposes of the bill is to require "reasonable security policies and procedures to protect data containing personal information."

The bill was co-sponsored by legislators on both sides of the aisle: Rep. Joe Barton, R-Texas, ranking member of the House Committee on Energy and Commerce; Rep. Cliff Stearns, R-Fla., the Republican leader on the Communications, Technology and the Internet Subcommittee; Rep. George Radanovich, R-Calif.; and Rep. Janice Schakowski, D-Ill.

In a statement before his subcommittee, Rep. Rush said the bill "requires that persons possessing electronic data that contain personal information must take steps to ensure that the data is secure."

According to a Congressional Research Service summary of the bill, the act would require the Federal Trade Commission to institute regulations requiring people engaged in interstate commerce that own or possess electronic data containing personal information to establish security policies and procedures. It authorizes the FTC to require standard methods for destroying obsolete nonelectronic data. It also would require keepers of personal information records to establish procedures to verify the accuracy of information; provide people whose personal information it maintains a means to review it; place notice on the Internet instructing individuals how to request access to such information; and correct inaccurate information.

On Dec. 8, 2009, the bill passed in the House with a voice vote. The next day, it was referred to the Senate Committee on Commerce, Science, and Transportation.

In addition, the Department of Homeland Security is working with Congress to pass S. 1261, a bill that seeks to better protect the security, confidentiality, and integrity of personal information collected by states issuing drivers' licenses and other identification documents. The bill was introduced by Sen. Daniel Akaka, D-Hawaii, on June 15, 2009, and currently is before the Committee on Homeland Security and Governmental Affairs.

We move this promise to In the Works.

Sources:

Library of Congress, H.R. 2221, the Data Accountability and Trust Act of 2009

Web site of Rep. Bobby Rush, Statement by Rep. Rush, Chairman Energy and Commerce Subcommittee on Commerce, Trade and Consumer Protection, at the Hearing on H.R. 2221, May 5, 2009

Library of Congress, S.1261 REAL ID Act