[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5820 Introduced in House (IH)]








109th CONGRESS
  2d Session
                                H. R. 5820

 To increase the security of sensitive data maintained by the Federal 
                              Government.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 17, 2006

 Mr. Sweeney introduced the following bill; which was referred to the 
                     Committee on Government Reform

_______________________________________________________________________

                                 A BILL


 
 To increase the security of sensitive data maintained by the Federal 
                              Government.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Agency Data Privacy 
Protection Act''.

SEC. 2. DEFINITION OF SENSITIVE DATA.

    In this Act--
            (1) Sensitive data.--The term ``sensitive data'' includes 
        the following:
                    (A) Social security numbers.
                    (B) Financial records.
                    (C) Previous or current health records, including 
                hospital or treatment records of any kind, including 
                drug and alcohol rehabilitation records.
                    (D) Criminal records.
                    (E) Licenses.
                    (F) License denials, suspensions, or revocations.
                    (G) Tax returns.
                    (H) Information that has been specifically 
                authorized under criteria established by an Executive 
                order or an Act of Congress to be kept classified in 
                the interest of national defense or foreign policy.
                    (I) Personally identifiable information.
            (2) Personally identifiable information.--The term 
        ``personally identifiable information'' means any information, 
        in any form or medium, that relates to the past, present, or 
        future physical or mental health, predisposition, or condition 
        of an individual or the provision of health care to an 
        individual.
            (3) Federal computer system.--The term ``Federal computer 
        system'' has the meaning given such term in section 20(d) of 
        the National Institute of Standards and Technology Act (15 
        U.S.C. 278g-3(d)).
            (4) Agency.--The term ``agency'' has the meaning provided 
        in section 3502(1) of title 44, United States Code.
            (5) Record.--The term ``record'' has the meaning provided 
        in section 552a(a) of title 5, United States Code.

SEC. 3. REQUIREMENT FOR USE OF ENCRYPTION FOR SENSITIVE DATA.

    (a) Requirement for Encryption.--
            (1) In general.--All sensitive data maintained by the 
        Federal Government, including such data maintained in Federal 
        computer systems, shall be secured by the use of the most 
        secure encryption standard recognized by the National Institute 
        of Standards and Technology.
            (2) Updating required every 6 months.--Any sequence of 
        characters (known as an encryption key) used to secure an 
        encryption standard used on Federal computer systems shall be 
        changed every 6 months, at a minimum, to provide additional 
        security.
            (3) Implementation.--The requirements of this subsection 
        shall be implemented not later than 6 months after the date of 
        the enactment of this Act.
    (b) Federal Agency Responsibilities.--The head of each agency shall 
be responsible for complying with the requirements of subsection (a) 
within the agency. Such requirement shall be considered to be a 
requirement of subchapter III of chapter 35 of title 44, United States 
Code, for purposes of section 3544(a)(1)(B) of such title.

SEC. 4. REQUIREMENTS RELATING TO ACCESS BY AGENCY PERSONNEL TO 
              SENSITIVE DATA.

    (a) On-Site Access.--No employee of the Federal government may have 
access to sensitive data on Government property unless the employee has 
received a security clearance at the ``secret'' level or higher and has 
completed a financial disclosure form, in accordance with applicable 
provisions of law and regulation.
    (b) Off-Site Access.--
            (1) Prohibition.--Sensitive data maintained by an agency 
        may not be transported or accessed from a location off 
        Government property unless a request for such transportation or 
        access is submitted and approved by the Inspector General of 
        the agency in accordance with paragraph (2).
            (2) Procedures.--
                    (A) Deadline for approval or disapproval.--In the 
                case of any request submitted under paragraph (1) to an 
                Inspector General of an agency, the Inspector General 
                shall approve or disapprove the request within 2 
                business days after the date of submission of the 
                request.
                    (B) Limitation to 10,000 records.--If a request is 
                approved, the Inspector General shall limit the access 
                to not more than 10,000 records at a time.
            (3) Encryption.--Any technology used to store, transport, 
        or access sensitive data during for purposes of off-site access 
        approved under this subsection shall be secured by the use of 
        the most secure encryption standard recognized by the National 
        Institute of Standards and Technology.
    (c) Implementation.--The requirements of this subsection shall be 
implemented not later than 6 months after the date of the enactment of 
this Act.

SEC. 5. REQUIREMENTS RELATING TO GOVERNMENT CONTRACTORS INVOLVING 
              SENSITIVE DATA.

    (a) Applicability to Government Contractors.--In entering into any 
contract that may involve sensitive data in electronic or digital form 
on 10,000 or more United States citizens, an agency shall require the 
contractor and employees of the contractor to comply with the 
requirements of sections 3 and 4 of this Act in the performance of the 
contract, in the same manner as agencies and government employees 
comply with such requirements.
    (b) Implementation.--The requirements of this subsection shall be 
implemented with respect to contracts entered into on or after the date 
occurring 6 months after the date of the enactment of this Act.
                                 <all>