"A Closer Look At Obama's Plan To Protect Consumer Data"

AUDIE CORNISH, HOST:

President Obama is talking about cybersecurity - how to ensure our safety when we step into the digital world. One key proposal sounds pretty straightforward. Companies should tell us, in a timely manner, if our data has been hacked. By timely manner the president means 30 days, but some cybersecurity experts say the president's proposals don't address the core issues. NPR's Aarti Shahani reports.

AARTI SHAHANI, BYLINE: If your data is stolen, it would be nice to know.

DAVI OTTENHEIMER: That's correct. You can protect yourself or at least know that you're at risk when you know that you've been breached.

SHAHANI: Davi Ottenheimer, with EMC, has been auditing retail security for decades.

OTTENHEIMER: Otherwise, you might not pay attention at all.

SHAHANI: You can't sign up for credit monitoring. You won't know to read every line of your bank statement, looking for signs of identity theft, if the company that's been attacked doesn't tell you to watch out. The history of cyberattacks is littered with examples of companies that didn't want to fess up - like when Walmart waited until 2009 to admit it was hacked in 2005.

OTTENHEIMER: They need to be told when to notify people about being harmed.

SHAHANI: The U.S. already has a federal rule on health care breaches. Ottenheimer says this 30-day proposal for consumer data gives the company reasonable enough time to investigate. And it helps clean up the messiness created by all those state laws that say different things.

OTTENHEIMER: It's going to have a huge impact because we've been working on the state level so far and every state doesn't have their own interpretation. The Feds may be more reasonable.

SHAHANI: A senior administration official describes the proposal as a major push. And the National Retail Federation is very pleased to have one federal rule to replace the current patchwork. But John Dickson, a security expert with the Denim Group, says retailers may just be breathing a sigh of relief because President Obama isn't demanding much.

JOHN DICKSON: There's nothing magical about the 30-day notification.

SHAHANI: The White House proposal is thin on key details, like - do the 30 days begin when a company suspects it's been hacked or when it confirms the fact? And who exactly has to tell consumers, the brand we know, like Target, or the subcontractor behind the scenes that may have been the weak link in the digital chain? Also, if the data is supersensitive, Dickson says, 30 days may be too long.

DICKSON: Is it just, you know, your name and address? Or is it your name, address and Social Security number?

SHAHANI: Last year the White House announced voluntary standards for companies to follow to protect our data. Dickson says make some of those mandatory, like the idea that companies storing our data should regularly scan their networks for malicious code and get rid of it.

DICKSON: These are kind of things that resilient companies and secure companies do. You regularly scan for vulnerabilities. You regularly try to identify holes before the bad guys do.

SHAHANI: Tom Brandl, with Docusign, offers another idea. Make the big, publicly traded companies sign-off on a cybersecurity audit every year - just like Sarbanes-Oxley requires with financial information. That way the top brass can't just say after a hack, whoops, I didn't know.

TOM RANDL: There's some skin in the game, too, from a CEO perspective and a board level perspective in that there is an explicit expectance and sign-off that yes, I'm responsible for these things as a CEO.

SHAHANI: So far the CEO of Target lost his job over a data breach, but that's rare. Brandl says the White House could up the stakes for corporate governance in our digital times. Aarti Shahani, NPR News, San Francisco.