Davis urges Waxman to advance data breach bill

Rep. Tom Davis (R-Va.), ranking member on the House Oversight and Government Reform Committee, wants to move forward a bill he introduced to limit the loss of sensitive personal information in light of new findings that the Veterans Affairs Department is missing 53 computers from several locations.Davis requested today in a letter to committee Chairman Henry Waxman (D-Calif.) that he bring the Federal Agency Data Breach Protection Act before the full committee to vote on so it can move to the House for consideration.One of the provisions of Davis’ bill would require that agencies ensure that equipment containing potentially sensitive information is accounted for and secure.The Office of Management and Budget has provided agencies with guidance to protect data and report breaches but no details about notifying potential victims.“Currently, no requirement exists that agencies notify citizens whose personal information may have been compromised,” Davis stated in his letter.Earlier this week, the Government Accountability Office said it discovered that the computers were missing, along with other information technology equipment, as a result of its examination of VA inventory controls of IT at four locations nationwide. The computers may contain personally identifiable information, but it is not known at this time, Robert Howard, VA chief information officer, said at a hearing about the GAO report.Waxman and Davis worked together last year to collect information about data breaches from all major agencies and released the findings of a wide range of privacy and security incidents.“In almost all these cases, Congress and the public would not have learned of each event had you and I had not requested the information,” Davis wrote.The committee spokeswoman had not as yet returned calls about the chairman's plans for the bill.Davis’ bill would direct the Office of Management and Budget to establish practices and standards for informing citizens of lost data and would provide a clear definition of the type of sensitive information to which the law would apply. It also would give agency chief information officers authority to ensure that workers comply with data security laws.This bill is identical to one Davis introduced last year that was incorporated into the Veterans Identity and Credit Security Act, which passed the House in September 2006. It addresses concerns raised when a Veterans Affairs Department employee reported the theft of a laptop computer from his home that contained personal information on millions of veterans. VA leaders delayed acting on the report for almost two weeks, leaving those veterans at risk of identity theft and other crimes.