[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6109 Introduced in House (IH)]








109th CONGRESS
  2d Session
                                H. R. 6109

    To amend title 38, United States Code, to provide for enhanced 
protection of sensitive personal information processed or maintained by 
                   the Secretary of Veterans Affairs.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 19, 2006

  Mr. Murphy (for himself, Mr. Gerlach, Mr. Platts, Mr. Salazar, Ms. 
 Hart, Mrs. Blackburn, Mr. Bradley of New Hampshire, Mr. McCotter, Mr. 
  Hoekstra, and Mr. LaHood) introduced the following bill; which was 
             referred to the Committee on Veterans' Affairs

_______________________________________________________________________

                                 A BILL


 
    To amend title 38, United States Code, to provide for enhanced 
protection of sensitive personal information processed or maintained by 
                   the Secretary of Veterans Affairs.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Stop Endangering the Records of 
Veterans (SERVE) Act of 2006''.

SEC. 2. FINDINGS.

    Congress finds as follows:
            (1) Identity theft remains a critical problem for 
        consumers. In May 2006, the Federal Trade Commission revealed 
        that 10,000,000 individuals are subjected to theft of their 
        personal identification licenses and records each year.
            (2) Recent thefts of computer hardware containing sensitive 
        personal information from the Department of Veterans Affairs 
        and its contractors have made millions of veterans vulnerable 
        to identity theft and fraud.
            (3) On May 22, 2006, the Department of Veterans Affairs 
        announced an employee laptop containing personal records of 
        nearly 26,500,000 million veterans and spouses had been stolen.
            (4) On August 7, 2006, a desktop computer containing 
        personal information of more than 38,000 veterans was stolen 
        from a subcontractor hired to assist in insurance collections 
        for medical centers of the Department of Veterans Affairs in 
        Pittsburgh and Philadelphia, Pennsylvania.
            (5) In August 2006, in response to the loss of these 
        records, the Secretary of Veterans Affairs created the office 
        of Special Advisor to the Secretary for Information Security.
            (6) On August 14, 2006, the Secretary announced the award 
        of a $3,700,000 contract to a service-disabled, veteran-owned 
        small business to upgrade all Department computers with 
        enhanced data security encryption systems.
            (7) In order to prevent the Nation's veterans from being 
        exposed to identity theft and fraud, additional Federal 
        safeguards, including those provided by this Act, must be 
        applied to increase accountability of those who handle 
        veterans' records in order to prevent future losses of 
        sensitive personal information.

SEC. 3. DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY.

    (a) Information Security.--Chapter 57 of title 38, United States 
Code, is amended by adding at the end the following new subchapter:

                 ``SUBCHAPTER III--INFORMATION SECURITY

``Sec. 5721. Definitions
    ``For the purposes of this subchapter:
            ``(1) The term `sensitive personal information' means the 
        name, address, or telephone number of an individual, in 
        combination with any of the following:
                    ``(A) The social security number of the individual.
                    ``(B) The date of birth of the individual.
                    ``(C) Any information not available as part of the 
                public record regarding the individual's military 
                service or health.
                    ``(D) Any financial account or other financial 
                information relating to the individual.
                    ``(E) The driver's license number of the 
                individual.
            ``(2) The term `encrypt' means to use software to obscure 
        electronic information to make that information unreadable for 
        unauthorized employees and contractors of the Department.
``Sec. 5722. Physical security of sensitive personal information 
              processed or maintained by the Secretary
    ``The Secretary shall physically secure all sensitive personal 
information processed or maintained by the Secretary and all equipment 
of the Department containing such sensitive personal information.
``Sec. 5723. Encryption of sensitive personal information processed or 
              maintained by the Secretary
    ``The Secretary shall encrypt all sensitive personal information 
processed or maintained by the Secretary.
``Sec. 5724. Contracts for the processing or maintenance of sensitive 
              personal information
    ``(a) Contract Requirements.--If the Secretary enters into a 
contract for the performance of any Department function that requires 
access to sensitive personal information, the Secretary shall require 
as a condition of the contract that--
            ``(1) the contractor ensures that it will--
                    ``(A) encrypt or encode any such information to 
                which the contractor has access; and
                    ``(B) physically secure all such information that 
                it processes or maintains and all equipment containing 
                such information; and
            ``(2) the contractor agrees to reimburse the Secretary for 
        any amount paid by the Secretary to any person as a result of 
        the contractor's unauthorized disclosure of any sensitive 
        personal information to which the contractor has access under 
        the contract.
    ``(b) Penalty for Violations.--Any contractor who violates any 
requirement of this subtitle shall be debarred from contracting with 
the Department for a period of one year.
``Sec. 5725. Criminal penalty for unauthorized disclosure of sensitive 
              personal information
    ``Any person who engages in the unauthorized disclosure of 
sensitive personal information processed or maintained by the Secretary 
or by a contractor performing a function on behalf of the Secretary 
shall be fined in accordance with title 18, imprisoned for not more 
than one year, or both.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
such chapter is amended by adding at the end the following new items:
                 ``subchapter iii--information security
``5721. Definitions.
``5722. Physical security of sensitive personal information processed 
                            or maintained by the Secretary.
``5723. Encryption of sensitive personal information processed or 
                            maintained by the Secretary.
``5724. Contracts for the processing or maintenance of sensitive 
                            personal information.
``5725. Criminal penalty for unauthorized disclosure of sensitive 
                            personal information.''.
    (c) Implementation.--The requirement of section 5723 of title 38, 
United States Code, as added by subsection (a), shall be implemented 
not later than 90 days after the date of the enactment of this Act.

SEC. 4. DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET STUDY AND REPORT.

    Not later than 180 days after the date of the enactment of this 
Act, the Director of the Office of Management and Budget shall complete 
a study of the security of personal information maintained or processed 
by the Secretary of Veterans Affairs and shall submit to the Committees 
on Veterans' Affairs of the Senate and House of Representatives a 
report containing the findings of that study and any recommendations of 
the Director.
                                 <all>