Obama Promotes Cybersecurity Plan in SOTU


By Roy Maurer January 21, 2015

President Barack Obama called on Congress to enact broad cybersecurity legislation during his State of the Union address Jan. 20, 2015, after the mammoth Sony data breach in November served to highlight the struggles companies face in keeping data safe.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” the president said. “We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable.”

Close to half (46 percent) of IT professionals expect their organization to face a cyberattack in 2015 and 83 percent believe cyberattacks are one of the top three threats facing organizations today, according to a new survey of more than 3,400 members of IT association ISACA.

The President’s Cybersecurity Plan

Obama announced a cybersecurity package Jan. 12-13, 2015, that would create a national breach reporting standard, encourage cyberthreat information sharing, and provide “targeted liability protection” from lawsuits related to security breaches or privacy complaints to companies that share cyberattack data with the government.

The Personal Data Notification and Protection Act would establish a 30-day notification requirement after the discovery of a breach to notify employees and customers, standardizing responses to breaches across the country. Companies currently navigate 47 different state laws when dealing with data-breach notification.

The White House plan also encourages the private sector to share cyberthreat information with the Department of Homeland Security. The department will share the information with appropriate federal agencies and private-sector information sharing and analysis organizations, which the legislation encourages be formed. Companies that share information with these entities would have targeted liability protection. “The administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection,” the White House noted. Liability protection has been a critical component for employers participating in a voluntary cyber information-sharing program.

“These are all good ideas, but the devil will be in the details,” said Al Saikali, co-chair of the data security and data privacy practice at Shook Hardy & Bacon, based in Miami. “Chances are, particularly given the new pro-business makeup of Congress, the federal legislation will be less stringent than the most stringent state laws.”

Saikali said that a federal data breach notification law will benefit consumers in states where the floor has been lower than what may be proposed—for example in states where no breach notification law exists—but would end up hurting consumers in states where the floor has been higher than what is being discussed, such as in California, Florida and New York.

Important questions remain regarding the breach notification law, he said.

“How will a ‘breach’ be defined? Is mere access enough? Is exfiltration of data required? Will there be an exception for encrypted data and, if so, what level of encryption is required? What effect, if any, will it have on data breach lawsuits brought under state laws?” Saikali asked.

“Here’s what I want to know: If Congress doesn’t pass any of this legislation, is the president going to issue executive orders … to act unilaterally in some of these areas? That is the real game changer question, and we’ve already seen precedent for this recently in the area of immigration.”

The ISACA 2015 Global Cybersecurity Status Report survey results show that 76 percent of respondents “agree” or “strongly agree” with President Obama’s proposal. When asked about obstacles to timely notification, respondents ranked company concern about corporate reputation first (55 percent), followed by inadequate system design (15 percent), increased cost (13 percent) and insufficient staffing (10 percent).

“President Obama has shown that cybersecurity is a global issue, with implications more far reaching than hacking into celebrity e-mails. This issue unchecked, will topple commerce, financial institutions and governments,” said Elaine Varelas, managing partner of management consultancy Keystone Associates.

Varelas asserted that the accountability for technology breaches needs to be leveled at the CEO and not just the CIO. “Most CIOs have held full accountability, meaning they lost their job, for the loss of private customer information,” she said. “No matter how many technology people lose their jobs, it won’t be until the CEOs and boards lose their jobs and are held accountable for data security breaches that the tide will turn.”

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Links:

SHRM OnlineSafety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter

Job Finder

Find an HR Job Near You
Search Jobs


Find your peers in SHRM's online community.

Find your peers in SHRM's online community.

Join SHRM Connect


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect