WASHINGTON — A new push by President Obama to tighten cybersecurity at banks and other businesses could help light a fire under some firms that have historically been slower to react in the wake of a data breach and help financial institutions dealing with a tangle of confusing state laws.
The president teed up several new initiatives on Monday, urging lawmakers to renew the hot-button issue after multiple bills failed to gain traction in Congress last year. They included new legislation, the Personal Data Notification and Protection Act, which would establish national notification standards that mandate a notice to consumers within 30 days of a breach.
"That is significant because a lot of companies have been dilly-dallying because they say they are in the middle of an investigation and law enforcement needs time," said Avivah Litan, a vice president at Gartner Research. "Timeliness is really important when there is a breach because the longer you wait the less chance you have of stopping the damage."
The president's move is part of a three-day rollout of cyber measures from the White House ahead of next week's State of the Union address, which will also feature commentary on the recent spate of cyberattacks against retailers, banks and others. Sony Pictures became the latest high-profile target earlier this winter, when personal data about Sony employees and emails between top executives were stolen and released.
It's possible that the incident could spur greater attention for these issues, though earlier attacks — like that against Target last winter -failed to translate into legislative wins. It's also not clear that the Republican-controlled Congress will have much appetite for a plan put forward by Obama.
Still, observers noted that the issue is one that resonates well with the public, making it a strategically savvy focus for the president's national speech next week.
"The issue of cybersecurity is more palpable for everyday Americans than a considerable amount of likely topics in the president's State of the Union address — it's both politically and practically important," said Isaac Boltansky, an analyst at Compass Point Research & Trading.
Obama touted the new cyber proposals, including the 30-day requirement, saying consumers needed to be able to move quickly to head off potential damage to their credit rating.
"When these cybercriminals start racking up charges on your card, it can destroy your credit rating," Obama said during remarks at the Federal Trade Commission. "It can turn your life upside down. It may take you months to get your finances back in order. So this is a direct threat to the economic security of American families and we've got to stop it."
He also called the current patchwork of state regulations "confusing" and "costly." Many bankers agree.
"We've long supported the idea of unifying under a single national standard — that's good for the financial industry," said Jason Oxman, chief executive of the Electronic Transactions Association.
Additionally, the president announced that the administration is moving forward with a revised consumer privacy bill and is introducing legislation restricting companies from selling student data to certain third parties. He also provided some updates on earlier initiatives — noting that JPMorgan Chase and Bank of America, for example, have agreed to join an effort to make credit scores free to some of their customers.
"What he is proposing seems very tactically sound because it is something that can actually be acted on," said Julie Conroy, an analyst at Aite Group.
Still, others in the industry were more pessimistic the latest push would have much impact, noting that lawmakers have debated the notification issue for years without any resolution and that notification standards alone won't stop new attacks.
"The immediate question I have is, will the president's legislative proposal also include a data security standard?" said Nathan Taylor, a partner at Morrison & Foerster. "Even given the recent spate of breaches, I haven't heard calls that notification is broken (i.e., that consumers aren't being alerted to breaches) — the concern has been that the underlying security of the data needs to be improved."
Ryan Donovan, a senior vice president at the Credit Union National Association, added that while the effort is a positive one, it's also unclear whether the notification legislation would touch on how the costs of a breach should be shared among financial institutions, merchants and others involved.
"Here we are almost 13 months after the Target breach was disclosed and credit unions have received — as of December — nothing," he said. "Yet it costs credit unions tens of millions of dollars and ultimately that cost is borne by our members. We would like in a data security bill more that speeds up the reimbursement for the costs incurred as a result of merchant negligence."
Observers added that the White House has so far released very few details on its proposed legislation — beyond the 30-day number — raising questions about what exactly the policy, if enacted, would mean for the financial services industry and others.
"Just having a set number without knowing the conditions around what that really means and what may justify a delay — it's tough to pass judgment," said Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable.
Obama is expected to continue his cybersecurity rollout this week with a discussion on information-sharing on Tuesday and high-speed broadband on Wednesday.
Congress debated expanding information-sharing across government and the private sector last year, but legislation never came up for a vote on the Senate floor. Whether Obama can or will do more unilaterally to spur better communication across different groups remains to be seen, though observers said legislation is needed to strengthen liability protections for the businesses actually sharing data.