The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
“FEDERAL AGENCY DATA BREACH PROTECTION ACT” mentioning the U.S. Dept of Agriculture was published in the Extensions of Remarks section on pages E959-E960 on May 4, 2007.
The publication is reproduced in full below:
FEDERAL AGENCY DATA BREACH PROTECTION ACT
______
HON. TOM DAVIS
of virginia
in the house of representatives
Thursday, May 3, 2007
Mr. TOM DAVIS of Virginia. Madam Speaker, secure information is the lifeblood of effective government policy and management, yet federal agencies continue to hemorrhage vital data. Personal information continues to be placed at risk, and we must ask: What is being done to protect the sensitive digital identities of millions of Americans, and how can we limit the damage when personal data does go astray?
As we all now know, a Department of Veterans Affairs employee reported the theft of computer equipment from his home--equipment which stored more than 26 million records containing personal information. VA leadership delayed acting on the report for almost two weeks, while millions were at risk of serious harm from identity theft and the agency struggled to determine the exact extent of the breach.
But this is only one in a long string of personal information breaches in the public and private sectors, including financial institutions, data brokerage companies, and academic institutions. Last year, we found the Census Bureau could not account for over one thousand laptops containing sensitive information issued to employees. And just recently, we learned the Department of Agriculture left sensitive data on a website, putting the personal information of 150,000 individuals as risk.
These breaches continue to illustrate how far we have to go to reach the goal of strong, uniform, government-wide information security policies and procedures.
On the Government Reform Committee, I focused on government-wide information management and security for a long time. The Privacy Act and the E-Government Act of 2002 outline the parameters for the protection of personal information. These recent incidents highlight the importance of establishing--and following--security standards for safeguarding personal information. They also highlight the need for proactive security breach notification requirements for organizations--
including Federal agencies--dealing with sensitive personal information.
Congress continues working on requirements for the private sector--
but Federal agencies present unique requirements and challenges. These incidents demonstrate the importance of strengthening the laws and rules protecting personal information held by Federal agencies--and we need to do this quickly.
In order to get a more complete picture of the problem before pursuing legislation, we sent a request to all cabinet agencies seeking information about data breaches involving the loss of sensitive personal information.
The results were troubling. We learned there have been a wide range of incidents involving data loss or theft, privacy breaches, and security incidents. In almost all of these cases, Congress and the public would not have learned of each event unless we had requested the information.
My bill requires timely notice be provided to individuals whose sensitive personal information could be compromised by a breach of data security at a Federal agency. Despite the volume of sensitive information held by agencies, there currently is no requirement people be notified if their information is compromised. Under this legislation, the executive branch must establish practices, procedures and standards for agencies to follow if sensitive personal information is lost or stolen and there is a reasonable risk of harm to an individual. And we provide a clear definition of the type of sensitive information we're trying to protect.
We also give the agency Chief Information Officers the authority, when appropriate and authorized, to ensure agency personnel comply with the information security laws already on the books.
Finally, we ensure costly equipment containing potentially sensitive information is accounted for and secure. Half of the lost Census Bureau computers simply were not returned by departing or terminated employees. The agency did not track computer equipment, nor were employees held accountable for failing to return it. This is taxpayer funded equipment, containing sensitive information, and we must know what we have and who has it--at all times.
Each year, I release Federal agency information security scorecards. Despite some improvement, scores for many departments remain unacceptably low. The Federal Government overall received a C minus, a slight improvement over prior years.
The Federal Government has sensitive personal information on every citizen--health records, tax returns, military records. We need to ensure the public knows when its sensitive personal information has been lost or compromised in some way.
The language in this bill is identical to H.R. 6163, which I introduced last Congress. Last year, with the assistance of then Chairman Steve Buyer, I incorporated this language into the Veterans Identity and Credit Security Act (H.R. 5835), which passed the House on September 26. That bill, including my language, had strong bipartisan support, with 67 cosponsors from both sides of the aisle, including the new chairman of the Oversight and Government Reform Committee.
This bill is a critical first step toward limiting the loss of our sensitive personal information. I hope we can again move this important legislation through the House.
____________________
