Rep. Clay introduces another data security bill
- By Jason Miller
- Dec 20, 2007
A new bill introduced by Rep. William Lacy Clay (D-Mo.) earlier this week would codify many of the steps the Office of Management and Budget took in a series of memos after the flood of data breaches in fiscal 2006.
Clay, chairman of the House Oversight and Government Reform Committee’s Information Policy, Census and the National Archives Subcommittee, would require agencies to develop policies and plans to identify and protect personal information and to develop requirements for reporting data breaches.
The bill, H.R. 4791, is another in a series of legislative efforts to improve how agencies and the private sector prevent and respond to data losses. Clay introduced the bill Dec. 18, and it was referred to the committee.
“OMB recognizes risks to personal information and risks introduced by new technologies are increasing,” said Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology. “We look forward to working with Congress and agencies to strengthen the Federal government's information security and privacy programs within the existing framework created by" the Federal Information Security Management Act.
In the past year, House and Senate members have tried unsuccessfully to get data breach legislation into law.
For instance, Rep. Tom Davis (R-Va.), ranking member of the committee, in May introduced the Federal Agency Data Breach Protection Act, and Sen. Norm Coleman (R-Minn.) followed with a companion version in June.
Meanwhile, Sen. Dianne Feinstein (D-Calif.) introduced and the Judiciary Committee passed the Notification of Risk to Personal Data Act, and the committee also approved the Personal Data Privacy and Security Act of 2007, sponsored by committee Chairman Patrick Leahy (D-Vt.) and Sen. Arlen Specter (R-Pa.), ranking member. The full Senate never brought either bill up for a vote.
Clay’s bill follows OMB’s 06-16 memo from June 2006 requiring agencies to encrypt personal data using standards that would make the information unusable by unauthorized persons. It also would mandate that agencies establish “minimum requirements regarding the protection of information maintained or transmitted by mobile digital devices.”
“Codifying these requirements is a big step,” said Kevin Richards, Symantec’s manager for federal government relations. “The legislation will give agencies greater direction” than OMB’s memos.
Richards said too often agencies are interpreting how to implement the requirements.
OMB demanded that agencies use two-factor authentication and encrypt data on all mobile devices in addition to requiring devices to time out after 30 minutes of inactivity and log all data extracts.
Many agencies have successfully met three of the four requirements but still have trouble finding the best way to log data extracts.
The legislation also would require agencies to report data breaches in a timely manner to OMB and the Homeland Security Department’s U.S. Computer Emergency Response Center.
In its July 12, 2006, memo, OMB required agencies to report to the center within one hour of learning of a data breach.
What may be more important about Clay’s bill is that it brings new security requirements for peer-to-peer networks and for contractors.
Agencies would be required to develop a plan to protect against the risks of peer-to-peer networks, and it details technology and policy procedures they should take. The plan would have to be implemented within six month of the act becoming law.
The Government Accountability Office also would have to review agency plans within 18 months of the act becoming law.
Richards said he was concerned about the bill’s definition of what a peer-to-peer networks is.
He said Symantec, like a lot of other vendors, updates its software through a live update connection and that shouldn’t be considered a peer-to-peer network.
“I don’t think that is the committee’s intent,” he said. “I think it is not the technology, but the intent behind the technology."
Additionally, Clay now wants GAO and agency inspectors general to audit agency networks in addition to systems used, operated or supported by contractors or subcontractors at any tier.
The bill also incorporates some aspects of the Senate’s version of the E-Government Reauthorization Act, requiring improved privacy impact assessments (PIAs), especially of data purchased from data brokers.
But agencies would not be allowed to enter into a contract with data brokers one year after the bill becomes law unless the data is from media or te ephone directory providers.
This pertains to any database with “information in an identifiable form concerning U.S. persons” unless the head of the agency implements a PIA, issues regulations on who is allowed to access, analyze or otherwise use the databases and issues standards governing access and analysis of the databases.
Finally, the bill would require penalties for vendors on contracts worth $500,000 or more if they do not implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards.
“I think this bill is a positive step and it shows that in 2008 the committee will make information security a priority issue,” Richards said.