Report: Align disparate security regs before imposing more

As Congress considers legislation to impose more data security requirements, the lawmakers should first figure out how to align existing regulations, according to a report from the Congressional Research Service. A patchwork of federal and state laws already requires organizations to safeguard sensitive and personally identifiable information and to notify persons affected by a breach of their personal data, said Gina Marie Stevens, legislative attorney in CRS’ American law division. “An important issue to be addressed is harmonization of these various laws in order to provide uniform protections for personal information not dependent on the owner of the information or the category of information involved,” she said in the report dated July 31, but posted recently. Federal agencies must adhere to provisions of information security in the Privacy Act, the Federal Information Security Management Act along with guidance from the Office of Management and Budget to prevent and respond to data breaches. The Veterans Affairs Information Security Act adds data security, privacy, notification and credit protection in particular for veterans and their dependents. The Health Insurance Portability and Accountability Act governs health data privacy and security. Information security standards aim to protect personally identifiable information from unauthorized disclosure, access and acquisition. Data security breaches happen when fraudulent accounts are created, laptop or desktop computers are stolen or hacked, passwords are compromised, insiders or employees steal data, or discs or backup tapes are misplaced, the report notes. Among the data security bills that Congress may consider when it returns to work Sept. 4 is the Federal Agency Data Breach Protection Act introduced by Rep. Tom Davis (R-Va.), ranking member on the House Oversight and Government Reform Committee, and a Senate version introduced by Sen. Norm Coleman (R-Minn.), a member of the Senate Homeland Security and Governmental Affairs Committee.