By Jason Miller
December 20, 2007
A new bill introduced by Rep. William Lacy Clay (D-Miss.) earlier this
week would codify many of the steps the Office of Management and Budget
took in a series of memos after the flood of data breaches in fiscal
Clay, chairman of the House Oversight and Government Reform Committees
Information Policy, Census and the National Archives Subcommittee, would
require agencies to develop policies and plans to identify and protect
personal information and to develop requirements for reporting data
The bill, H.R. 4791, is another in a series of legislative efforts to
improve how agencies and the private sector prevent and respond to data
losses. Clay introduced the bill Dec. 18, and it was referred to the
OMB recognizes risks to personal information and risks introduced by new
technologies are increasing, said Karen Evans, the Office of Management
and Budgets administrator for e-government and information technology.
We look forward to working with Congress and agencies to strengthen the
Federal government's information security and privacy programs within
the existing framework created by" the Federal Information Security
In the past year, House and Senate members have tried unsuccessfully to
get data breach legislation into law.
For instance, Rep. Tom Davis (R-Va.), ranking member of the committee,
in May introduced the Federal Agency Data Breach Protection Act, and
Sen. Norm Coleman (R-Minn.) followed with a companion version in June.
Both bills died in committee.
Meanwhile, Sen. Dianne Feinstein (D-Calif.) introduced and the Judiciary
Committee passed the Notification of Risk to Personal Data Act, and the
committee also approved the Personal Data Privacy and Security Act of
2007, sponsored by committee Chairman Patrick Leahy (D-Vt.) and Sen.
Arlen Specter (R-Pa.), ranking member. The full Senate never brought
either bill up for a vote.
Clay likely will have to reintroduce his legislation after the December
recess, when the 111th Congress begins next month. Clay, however,
already has the support of Rep. Henry Waxman (D-Calif.), committee
chairman, and Edolphus Towns (D-N.Y.), chairman of the committees
Government Management, Organization and Procurement Subcommittee, which
bodes well for the future.
Clays bill follows OMBs 06-16 memo from June 2006 requiring agencies to
encrypt personal data using standards that would make the information
unusable by unauthorized persons. It also would mandate that agencies
establish minimum requirements regarding the protection of information
maintained or transmitted by mobile digital devices.
?Codifying these requirements is a big step, said Kevin Richards,
Symantecs manager for federal government relations. The legislation will
give agencies greater direction than OMBs memos.
Richards said too often agencies are interpreting how to implement the
OMB demanded that agencies use two-factor authentication and encrypt
data on all mobile devices in addition to requiring devices to time out
after 30 minutes of inactivity and log all data extracts.
Many agencies have successfully met three of the four requirements but
still have trouble finding the best way to log data extracts.
The legislation also would require agencies to report data breaches in a
timely manner to OMB and the Homeland Security Departments U.S. Computer
Emergency Response Center.
In its July 12, 2006, memo, OMB required agencies to report to the
center within one hour of learning of a data breach.
What may be more important about Clays bill is that it brings new
security requirements for peer-to-peer networks and for contractors.
Agencies would be required to develop a plan to protect against the
risks of peer-to-peer networks, and it details technology and policy
procedures they should take. The plan would have to be implemented
within six month of the act becoming law.
The Government Accountability Office also would have to review agency
plans within 18 months of the act becoming law.
Richards said he was concerned about the bills definition of what a
peer-to-peer networks is.
He said Symantec, like a lot of other vendors, updates its software
through a live update connection and that shouldnt be considered a
I dont think that is the committees intent, he said. I think it is not
the technology, but the intent behind the technology." Additionally,
Clay now wants GAO and agency inspectors general to audit agency
networks in addition to systems used, operated or supported by
contractors or subcontractors at any tier.
The bill also incorporates some aspects of the Senates version of the
E-Government Reauthorization Act, requiring improved privacy impact
assessments (PIAs), especially of data purchased from data brokers.
But agencies would not be allowed to enter into a contract with data
brokers one year after the bill becomes law unless the data is from
media or te ephone directory providers.
This pertains to any database with information in an identifiable form
concerning U.S. persons unless the head of the agency implements a PIA,
issues regulations on who is allowed to access, analyze or otherwise use
the databases and issues standards governing access and analysis of the
Finally, the bill would require penalties for vendors on contracts worth
$500,000 or more if they do not implement a comprehensive personal data
privacy and security program that includes administrative, technical and
I think this bill is a positive step and it shows that in 2008 the
committee will make information security a priority issue, Richards
Visit InfoSec News