[ISN] Lawmakers act on data security bills

From: InfoSec News (alerts@private)
Date: Thu May 03 2007 - 23:22:22 PDT


http://www.fcw.com/article102630-05-03-07-Web

By Mary Mosquera
May 3, 2007

Rep. Tom Davis (R-Va.), ranking member on the House Oversight and 
Government Reform Committee, introduced a bill today that would require 
agencies to better protect the sensitive data they collect and promptly 
notify those whose data is lost or stolen.

The Federal Agency Data Breach Protection Act directs the Office of 
Management and Budget to establish practices and standards for informing 
citizens of lost data and provides a clear definition of the type of 
sensitive information to which the law would apply.

In addition, it gives agency chief information officers authority to 
ensure that workers comply with data security laws.

Secure information is the lifeblood of effective government policy and 
management, yet federal agencies continue to hemorrhage vital data, 
Davis said. "It is our duty to ask what is being done to protect the 
sensitive information of millions of Americans and how we can limit the 
damage when personal data is lost or stolen."

This bill is identical to one Davis introduced last year that was 
incorporated into the Veterans Identity and Credit Security Act, which 
passed the House in September 2006. It addresses concerns raised when a 
Veterans Affairs Department employee reported the theft from his home of 
a laptop computer that contained personal information on millions of 
veterans. VA leaders delayed acting on the report for almost two weeks, 
leaving those veterans at risk of identity theft and other crimes.

In Davis most recent annual report card last month on how well agencies 
protect sensitive information and adhere to the Federal Information 
Security Management Act of 2002, the government overall garnered a C-, 
but several agencies, including the Homeland Security Department, 
received F's.

Davis bill would amend FISMA to:

* Clarify the authority an agency head could delegate to the CIO.

* Require agencies to establish data breach notification procedures in 
  line with OMB policies, procedures and standards.

* Authorize agencies to establish polices and procedures for accounting 
  for all federal personal property assigned to departing employees.

* Define sensitive personal information.

Also today, the Senate Judiciary Committee approved two data security 
bills. The Notification of Risk to Personal Data Act, which Sen. Dianne 
Feinstein (D-Calif.) introduced, would protect individuals from identity 
theft by requiring agencies and businesses to notify consumers in the 
event of a security breach that exposes their personal data. The 
committee approved another, more comprehensive data privacy bill, the 
Personal Data Privacy and Security Act of 2007 sponsored by Committee 
Chairman Sen. Patrick Leahy (D-Vt.) and Sen. Arlen Specter (R-Pa.), 
ranking Republican, with notification provisions identical to those in 
Feinsteins legislation.

Last year, Feinsteins data breach notification measure was included as 
part of a comprehensive data privacy bill that passed the Judiciary 
Committee but did not get Senate floor action.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Thu May 03 2007 - 23:39:32 PDT