• United States



by Dave Gradijan

Congress Proposes Data Breach Notification Law

Jul 24, 20062 mins
CSO and CISOData and Information Security

Rep. Tom Davis (R-Va), chairman of the House Committee on Government Reform, proposed legislation requiring federal agencies to notify the public if sensitive information is lost or stolen, reports.

According to the article, the legislation calls for the White House Office of Management and Budget (OMB) to set disclosure policies and standards for agencies to follow for breaches involving personal data. This comes after the OMB toughened the internal-breach notification requirements with a July 12 memo issued by de facto federal CIO Karen Evans. Agencies must report an incident involving personal identifiable information to the U.S. Department of Homeland Security within an hour of discovery, including confirmed and suspected breaches.

In a statement made last week, Davis said his attempted legislation modifying the Federal Information Security Management Act would also force agencies to disclose breaches more quickly, according to Computerworld.

“We have seen too many recent examples when sensitive data has been lost or stolen and agencies have moved too slowly to acknowledge the problem and take steps to limit the potential damage,” he said.

Computerworld reports that at a hearing held by the Senate Committee on Veterans Affairs last Thursday, Department of Veterans Affairs (VA) Secretary James Nicholson testified about the dilemma he faced on whether to delay the data breach disclosure or go public with the news. He made the decision to inform.

During the hearing, Sen. Richard Burr (R-N.C.) said there should have been no hesitation and Congress should have been notified of the breach immediately, Computerworld reports.

According to John Pescatore, an analyst with Gartner, the OMB’s modifed policy of a one-hour reporting requirement includes the improper use of sensitive data, such as storing it on a home computer without adequate encryption. Previously, only unauthorized access had to be reported.

Bruce Brody, a former CISO at the VA, told Computerworld that the reporting structure and escalation process should also be taken into consideration.

OMB officials “are assuming that there’s a centralized authority that is part of the escalation process,” Brody told Computerworld. In reality, such a structure doesn’t exist at most federal agencies.

Compiled by Paul Kerstein

For more information, read Data Theft at the VA.

Keep checking in at our Security Feed for updated news coverage.