FEDERAL AGENCY DATA PROTECTION ACT -- (House of Representatives - June 03, 2008)
BREAK IN TRANSCRIPT
Mr. DAVIS of Virginia. Mr. Speaker, secure information is the lifeblood of effective government. But we've seen a wide range of incidents involving data loss or theft, privacy breaches, and security incidents at Federal agencies.
In almost all of these cases, Congress and the public would not have learned of these events had we not requested the information. After all, despite the volume of sensitive information held by agencies--tax returns, military records, health records, to name a few--there currently is no requirement that agencies notify citizens whose personal information may have been compromised. We need to ensure the public knows when its sensitive personal information has been lost or compromised.
Therefore I am pleased we incorporated my legislation, H.R. 2124, which requires timely notice be provided to individuals whose sensitive personal information could be compromised by a breach of data security at a Federal agency.
In addition to focusing on ensuring adequate protection of individuals' personal information held by the Federal Government, I have also spent years focusing on general, government-wide information management and security policy.
For example, the Privacy Act and the E-Government Act of 2002 outline the parameters for the protection of personal information. The Federal Information Security Management Act (FISMA), which I authored, requires each agency to create a comprehensive risk-based approach to agency-wide information security management, through preparedness, evaluation, and reporting requirements.
These laws created a solid foundation for Federal information security, making security management an integral part of an agency's operations and ensuring agencies are actively using best practices to secure the Federal Government's systems.
But it is now incumbent upon us to take Federal information security to the next level--to find new and innovative ways to secure government information.
Unfortunately, I do not believe H.R. 4791 does enough. Most of the provisions contained in this bill are a grab bag of vague requirements, additional mandates, and misplaced priorities. It casts dynamic concepts in stone. And it gives agency personnel more boxes to check.
I have long called for a bill with teeth--and an opportunity to discuss and debate the overall issues associated with improving Federal
information security. I think we have missed some key opportunities in that regard.
For example: (1) We haven't seriously considered, to my knowledge, the need to pursue providing incentives for agency success--such as financial incentives for agencies which excel.
(2) We haven't given enough consideration, to my knowledge, to the need to pursue funding penalties and personnel reforms which provide real motivation for an agency to improve its information security.
(3) Although I've pushed the scorecards for many years, we need increased Congressional oversight of agency information security practices.
(4) Have we done enough to bring greater consistency across the IG community regarding standards and review regarding improved information security?
(5) And in our recent review of this issue, I do not believe we have considered, nor do we address, what I believe is one of the most important and complex problems associated with these issues: the difficulties faced by agency Chief Information Officers in their attempts to be successful and effective--both in terms of their status within their agencies and their underlying statutory authority.
(6) Also, have we taken a serious look at whether the creation of a Federal CIO or an Information Czar at OMB would improve the Federal Government's ability to handle and process information? I do not believe so.
Yesterday, OMB Deputy Director for Management, Clay Johnson, wrote to the Committee asking to work with us on a handful of concerns the Administration has with the current draft of the legislation. Although the majority did make important modifications, removing controversial provisions affecting data brokers for example, which were of particular concern to Representative Mike Turner, other areas still need to be addressed.
The Administration has expressed particular concern about the bill's codification of terms and requirements in statute, including the definition of ``personally identifiable information'' as well as various technology-specific provisions, including ``personal digital devices'' and ``peer-to-peer file-sharing programs''. I have long maintained that effective security legislation should be technology neutral to enable the government to adequately address constantly evolving threats and technologies. Ironically, we could find ourselves less secure as agencies are forced to meet outdated mandates and requirements. I trust the majority is willing to continue these discussions as the legIslation moves forward.
Mr. Speaker, public confidence in government is essential. In the end, the public demands effective government. And effective government depends on secure information. I remain concerned that this legislation falls short in a number of these important areas.
BREAK IN TRANSCRIPT