A new effort by President Obama to tighten cybersecurity at financial institutions and other businesses could help light a fire under some firms that have historically been slower to react in the wake of a data breach and help financial institutions dealing with a tangle of confusing state laws.
The president teed up several new initiatives, urging lawmakers to renew the hot-button issue after multiple bills failed to gain traction in Congress last year. They included new legislation, the Personal Data Notification and Protection Act, which would establish national notification standards that mandate a notice to consumers within 30 days of a breach.
"That is significant because a lot of companies have been dilly-dallying because they say they are in the middle of an investigation and law enforcement needs time," said Avivah Litan, a vice president at Gartner Research. "Timeliness is really important when there is a breach because the longer you wait the less chance you have of stopping the damage."
ISSUE RESONATES
The president's move is part of a three-day rollout of cyber measures from the White House. His State of the Union address also featured commentary on the recent spate of cyberattacks against retailers, banks and others.
Sony Pictures became the latest high-profile target earlier this winter, when personal data about Sony employees and emails between top executives were stolen and released.
Earlier in January, Morgan Stanley fired an employee it said stole data, including account numbers, for as many as 350,000 wealth management clients and posted some of the information online.
It's possible that these incidents could spur greater attention for these issues, though earlier attacks - like that against Target last winter - failed to translate into legislative wins. It's also not clear that the Republican-controlled Congress will have much appetite for a plan put forward by Obama.
Still, observers noted that the issue is one that resonates well with the public, making it a strategically savvy focus for the president's national speech.
"The issue of cybersecurity is more palpable for everyday Americans than a considerable amount of likely topics in the president's State of the Union address - it's both politically and practically important," said Isaac Boltansky, an analyst at Compass Point Research & Trading.
Obama touted the new cyber proposals, including the 30-day requirement, saying consumers needed to be able to move quickly to head off potential damage to their credit rating.
He also called the current patchwork of state regulations "confusing" and "costly." Many financial professionals agree.
"We've long supported the idea of unifying under a single national standard - that's good for the financial industry," said Jason Oxman, chief executive of the Electronic Transactions Association.
Additionally, the president announced that the administration is moving forward with a revised consumer privacy bill, among other initiatives within the banking industry. "What he is proposing seems very tactically sound because it is something that can actually be acted on," said Julie Conroy, an analyst at Aite Group.
SECURITY STANDARD?
Still, others in the industry were more pessimistic the latest push would have much impact, noting that lawmakers have debated the notification issue for years without any resolution and that notification standards alone won't stop new attacks.
"The immediate question I have is, will the president's legislative proposal also include a data security standard?" said Nathan Taylor, a partner at Morrison & Foerster. "Even given the recent spate of breaches, I haven't heard calls that notification is broken (i.e., that consumers aren't being alerted to breaches) - the concern has been that the underlying security of the data needs to be improved."
Ryan Donovan, a senior vice president at the Credit Union National Association, added that while the effort is a positive one, it's also unclear whether the notification legislation would touch on how the costs of a breach should be shared among financial institutions, merchants and others involved.
"Here we are almost 13 months after the Target breach was disclosed and credit unions have received - as of December - nothing," he said. "Yet it costs credit unions tens of millions of dollars and ultimately that cost is borne by our members. We would like in a data security bill more that speeds up the reimbursement for the costs incurred as a result of merchant negligence."
Observers added that the White House has so far released very few details on its proposed legislation - beyond the 30-day number - raising questions about what exactly the policy, if enacted, would mean for the financial services industry and others.
"Just having a set number without knowing the conditions around what that really means and what may justify a delay - it's tough to pass judgment," said Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable.
Congress debated expanding information-sharing across government and the private sector last year, but legislation never came up for a vote on the Senate floor.
States meanwhile continue to develop their own cyber laws, including a new proposal for tougher data security legislation from New York. Attorney General Eric Schneiderman.
