WASHINGTON—An Obama administration cyber security proposal, which would replace the patchwork of state laws with a national standard concerning notification of consumers about data breaches, is needed and welcome, many legal observers say.

Some praised the president's proposed cyber security plan in general, but also said it is overdue. Others said more details are needed and there is relatively little in the plan that breaks new ground.

The Obama administration proposed the legislation last week to improve protection for individuals, the nation's critical infrastructure as well as the federal government's networks and computers.

The proposal said the president has made cyber security an administration priority because the nation's critical infrastructure, such as the electricity grid, financial sector and transportation networks, has “suffered repeated cyber intrusions.”

Elements of the administration's proposal include:

c National data breach reporting. The administration said its proposal would help businesses “by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.”

c Penalties for computer criminals. The administration said laws imposing penalties for computer crimes are not fully synchronized with other types of crime. Its cyber security plan “clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure,” the administration said in a statement.

c Voluntary government assistance. The administration proposal would enable the Department of Homeland Security to provide quick assistance to the industry as well as state and local governments when they seek it and “clarifies the type of assistance it can provide.”

c Voluntary information-sharing. The Obama administration said the proposed legislation clarifies that the industry, states and local governments can share information about cyber threats or incidents with the DHS, and would give them immunity for doing so.

c Critical infrastructure plans. The administration said its proposal “emphasizes transparency to help market forces ensure that critical infrastructure operators are accountable for their cyber security.”

“The administration proposal requires DHS to work with industry to identify the core critical infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators,” the administration said in the statement.

“Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical infrastructure operator would have a third-party commercial audit assess its cyber security risk mitigation plans. Operators who already are required to report to the Securities and Exchange Commission also would have to certify that their plans are sufficient,” according to the statement.

Discussing the issue of ensuring an individual's privacy and civil liberties, the administration said private-sector, state and local government immunity “is conditioned on its compliance with the requirements of the proposal.”

“The idea of a national standard is a good one,” said Joseph Lazzarotti, a partner with law firm Jackson Lewis L.L.P. in White Plains, N.Y. Federal legislation has been held up in this area over the issues of pre-empting state laws, he said.

“It would help to be able to unify some state laws, because right now (businesses) certainly deal with a patchwork” of them around the country, said Michael V. Dowd, a partner with law firm Foley Hoag L.L.P. in Boston.

Notifying consumers under state laws “becomes a nightmare. It becomes challenging to understand and to know what those requirements are in all those different states,” said Tracey Vispoli, global cyber security manager for Warren, N.J.-based Chubb Group of Insurance Cos.

Rennie J. Muzii, Portland, Ore.-based managing director in Marsh Inc.'s FINPRO practice, said a national standard is needed. With 47 state laws, “you end up having a significant legal expense” if there is a breach, he said.

Cynthia Larose, a member of law firm Mintz Levin Cohn Ferris Glovsky & Popeo P.C. in Boston, said, “I don't see anything that's earth shaking here” in the proposal overall.

But achieving a national standard would be good for business “because it takes away some of the uncertainty of dealing” with the different state laws, Ms. Larose said.

Richard L. Santalesa, Fairfield, Conn.-based senior counsel at Information Law Group, said a national standard would be the first component of any cyber security proposal to be passed by Congress, and the president's plan will be “warmly welcomed.”

Overall, the proposal is “long overdue, required, necessary,” particularly from the perspective of protecting the country's critical infrastructure, Ms. Vispoli said.

Kristen J. Mathews, a partner with law firm Proskauer Rose L.L.P. in New York, agreed that the administration proposal is “overdue in that cyber security vulnerability among our utility companies has been a problem for a long time.

“I like what this proposal does in that it opens up lines of communication between members of the industry and the government to compare notes about vulnerabilities they have and exposures,” she said.

Mark Camillo, vp, professional liability with Chartis Inc. in New York, said in addition to the issue of state notification laws, the proposal addresses the issue of critical infrastructure entities having risk mitigation or strategies in place; provides stricter penalties for cyber criminals, which may serve as a deterrent; and provides incentives to ensure the government has cyber security personnel to coordinate activity with the private sector.

Peter Foster, senior vp, executive risks at the Willis North America in Boston, said businesses generally do not look at governmental involvement as beneficial.

However, “security folks are looking for...broadening their budgets for security in the workplace” and the administration's push could result in that occurring, which Mr. Foster said would help reduce potential liability.

More details are needed to properly evaluate the proposal, some observers say.

“The devil's in the details” and “security is all about details,” said Mike Ahmadi, vp of operations for GraniteKey, a Livermore, Calif.-based security consulting firm. “Are you going to hold business liable for cyber security?” he asked. If so, “what's the baseline? What is the bare minimum? How are you going to establish what that is?”