A new bill introduced by Rep. William Lacy Clay (D-Mo.) earlier this week would codify many of the steps the Office of Management and Budget took in a series of memos after the flood of data breaches in fiscal 2006.
Clay, chairman of the House Oversight and Government Reform Committee’s Information Policy, Census and the National Archives Subcommittee, would require agencies to develop policies and plans to identify and protect personal information and to develop requirements for reporting data breaches.
The bill, H.R. 4791, is another in a series of legislative efforts to improve how agencies and the private sector prevent and respond to data losses. Clay introduced the bill Dec. 18, and it was referred to the committee.
“OMB recognizes risks to personal information and risks introduced by new technologies are increasing,” said Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology. “We look forward to working with Congress and agencies to strengthen the Federal government's information security and privacy programs within the existing framework created by" the Federal Information Security Management Act.
In the past year, House and Senate members have tried unsuccessfully to get data breach legislation into law.
For instance, Rep. Tom Davis (R-Va.), ranking member of the committee, in May introduced the Federal Agency Data Breach Protection Act, and Sen. Norm Coleman (R-Minn.) followed with a companion version in June.
Meanwhile, Sen. Dianne Feinstein (D-Calif.) introduced and the Judiciary Committee passed the Notification of Risk to Personal Data Act, and the committee also approved the Personal Data Privacy and Security Act of 2007, sponsored by committee Chairman Patrick Leahy (D-Vt.) and Sen. Arlen Specter (R-Pa.), ranking member. The full Senate never brought either bill up for a vote.
Clay’s bill follows OMB’s 06-16 memo from June 2006 requiring agencies to encrypt personal data using standards that would make the information unusable by unauthorized persons. It also would mandate that agencies establish “minimum requirements regarding the protection of information maintained or transmitted by mobile digital devices.”
“Codifying these requirements is a big step,” said Kevin Richards, Symantec’s manager for federal government relations. “The legislation will give agencies greater direction” than OMB’s memos.
Richards said too often agencies are interpreting how to implement the requirements.
OMB demanded that agencies use two-factor authentication and encrypt data on all mobile devices in addition to requiring devices to time out after 30 minutes of inactivity and log all data extracts.
Many agencies have successfully met three of the four requirements but still have trouble finding the best way to log data extracts.
Digg
De.licio.us
Slashdot
Technorati
