In a speech given before the Federal Trade Commission (FTC) on Monday, January 12, President Obama proposed federal legislation that would impose a nationwide standard on companies that experience a data security breach. The proposed Personal Data Notification and Protection Act would require businesses to notify their customers within 30 days of discovering a breach of personal information.

Implementation of a national data breach notification standard under the president’s proposal promises to eliminate the current patchwork system of varying state laws on the topic. However, it is unclear at this time whether the proposed legislation would expressly preempt state data breach laws or whether the legislation would still permit states to enact and to continue to enforce stronger laws. Either way, a national standard for responding to a data breach or hack is expected to ease the burden on companies to comply with notification requirements.

The proposed bill would provide the FTC with the power to enforce the new law (if passed) and to issue penalties to companies that fail to comply. Further, the proposed bill would criminalize the international trade of illegally obtained personal information.

Also today, President Obama proposed a Student Digital Privacy Act that would prohibit companies or institutions from selling student data collected in the educational context to third parties for non-educational purposes. The issue of how companies may use student data is gaining attention because of the increasing prevalence of online educational services, Internet-connected learning devices, such as tablets, which are now in use even in early education settings. These types of software and hardware typically record huge amounts of data about their student-users. The proposed legislation would eliminate the risk of the students’ data being released or sold in the future and would encourage the continued use of technology in education by increasing confidence in the security of student data.

Key Takeaways

These recent proposals serve as a reminder for all businesses to routinely review and update their data security protocols to remain compliant with changes in the law. Further, businesses must consistently implement and enforce their data protection policies. All businesses must take reasonable and appropriate measures to protect personal information against unauthorized access. Companies that receive any indication that their data security might have been compromised should immediately consult with legal and technical experts to limit the damage and ensure compliance with the evolving data security laws.

Ogletree Deakins and the attorneys in its Data Privacy Practice Group continually monitor new standards in data security compliance and regularly counsel their clients on such topics.

Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more
Practice Group

Employment Law

Ogletree Deakins’ employment lawyers are experienced in all aspects of employment law, from day-to-day advice to complex employment litigation.

Learn more
Inside a large shopping mall in Almaty
Industry Group


Ogletree Deakins is a retail industry leader with clients ranging from brick-and-mortar retailers to online merchants, and small businesses to Fortune 500 corporations. We represent companies in a range of retail sectors, including but not limited to: discount stores, department stores, luxury retailers, home goods and specialty stores, home improvement centers, grocers, pharmacies, online retailers…

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now