Business groups and Republicans are used to railing against President Obama's calls for stronger regulation, warning that government mandates will only stifle economic growth. But they're cheering a new data-security plan the president outlined Monday.
The White House's proposal would require companies to notify their customers within 30 days if their personal information has been exposed in breaches such as the ones at Target, Home Depot, and Neiman Marcus.
Companies are enthusiastic about the proposal because they already have to notify consumers about data breaches due to laws in 47 states plus the District of Columbia. The laws vary from state to state, so compliance can be a major headache for national chains like Target.
Obama's plan would create a single national standard for companies to follow.
"Right now, almost every state has a different law on this, and it's confusing for consumers and it's confusing for companies—and it's costly, too, to have to comply to this patchwork of laws," Obama explained in a speech at the Federal Trade Commission. "Sometimes, folks don't even find out their credit-card information has been stolen until they see charges on their bill, and then it's too late."
The proposal won applause from industry groups including the National Retail Federation, the Direct Marketing Association, TechAmerica, the Information Technology Industry Council, and the Software & Information Industry Association.
"When a business is faced with a breach, it's a far better use of its time and resources to focus on mitigating the impact of the breach rather than navigating 47 different state notification laws," said Mary Bono, a former Republican congresswoman who had pushed for data-breach legislation. She is now a vice president at FaegreBD Consulting.
Republican Rep. Michael Burgess of Texas, the new chairman of the House Commerce and Trade Subcommittee, said that one of his first goals for the subcommittee will be passing a data-breach bill.
"Consumers shouldn't have to hold their breath and cross their fingers every time they swipe a card or enter information online," Burgess said. "Cybercrime is a real and escalating concern for the American people, and recent high-profile security breaches have only reinforced the urgent need for congressional action."
But privacy advocates are less thrilled with the proposal. They worry that if Congress preempts state laws, it could actually loosen the reporting requirements for companies.
"Right now, you have a race to the top," said Alvaro Bedoya, the executive director of the Center on Privacy & Technology at Georgetown University Law Center. "There is a patchwork, but right now consumers benefit from that patchwork because companies have to abide by the strongest state's privacy laws."
Justin Brookman, the director of the Consumer Privacy Project at the Center for Democracy and Technology, said he could support a federal data-breach bill—but only if it sets a strong standard and "allows the states a fair amount of autonomy to enforce and enact new protections."
Also on Monday, Obama announced a legislative proposal to restrict the ability of companies to mine the data of students. And he said he plans to soon release a sweeping plan to protect principles he calls the "Consumer Privacy Bill of Rights." The bill would limit how Internet giants like Google and Facebook can collect and handle personal data.
Those steps won praise from the privacy advocates. But the response from industry groups was more predictable.
"We all agree that it's essential to protect consumer data privacy, but new federal regulations won't make consumers any safer," said Mark MacCarthy, vice president of public policy for the Software & Information Industry Association.