Davis Introduces Data Breach Protection Bill

Press Release

Davis Introduces Data Breach Protection Bill

Rep. Tom Davis (R-Va.), ranking member on the House Committee on Oversight and Government Reform, introduced a bill today that would require the government to better protect the sensitive information it collects from citizens and inform them if this information is lost or stolen.

The Federal Agency Data Breach Protection Act, HR 2124, would require timely notification to those whose data is lost or stolen. It also requires the executive branch to establish practices and standards for notifying citizens of lost data and provides a clear definition of the type of sensitive information to which the law would apply. In addition, it empowers agency Chief Information Officers to ensure personnel comply with information security laws already in force.

"The federal government has sensitive personal information on every citizen - health records, tax returns, military records," Davis said. "We need to ensure the public knows when its sensitive personal information has been lost or compromised in some way."

This bill is identical to one Davis introduced in the last Congress that ended up incorporated into the Veterans Identity and Credit Security Act, which passed the House on Sept. 26. It responds to concerns first raised when an employee of the Department of Veterans Affairs reported the theft of a laptop computer from his home that had personal information on 26 million vets. VA leadership delayed acting on the report for almost two weeks, leaving all those veterans at risk of identity theft and other crimes.

This led to an investigation by Davis which found the Census Bureau could not account for more than 1,000 laptops - many simply kept by departing or terminated employees, the Department of Agriculture left sensitive data on a Website that put more than 150,000 people at risk and dozens of other federal agencies could not account for all their laptops or sensitive information.

Davis releases annual report cards on how well federal agencies protect the sensitive information in their possession, and the grades are startlingly low. The most recent report card - released in April - gave the government a C- overall but gave Fs to several key agencies, including the Department of Homeland Security and the State Department.

"Secure information is the lifeblood of effective government policy and management, yet federal agencies continue to hemorrhage vital data," Davis said. "It is our duty to ask what is being done to protect the sensitive information of millions of Americans and how we can limit the damage when personal data is lost or stolen."

In addition to requiring the executive branch establish procedures to be followed in the event of a data breach, this legislation would amend the Federal Information Security Management Act of 2002 to:

* Clarify the authority that an agency head could delegate to the CIO.

* Require agencies to establish data breach notification procedures consistent with OMB policies, procedures and standards;

* Authorize agencies to establish polices and procedures for accounting for all Federal personal property assigned to departing employees; and

* Define sensitive personal information.

Source