[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4791 Introduced in House (IH)]







110th CONGRESS
  1st Session
                                H. R. 4791

 To amend title 44, United States Code, to strengthen requirements for 
   ensuring the effectiveness of information security controls over 
 information resources that support Federal operations and assets, and 
                          for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           December 18, 2007

   Mr. Clay (for himself, Mr. Towns, and Mr. Waxman) introduced the 
 following bill; which was referred to the Committee on Oversight and 
                           Government Reform

_______________________________________________________________________

                                 A BILL


 
 To amend title 44, United States Code, to strengthen requirements for 
   ensuring the effectiveness of information security controls over 
 information resources that support Federal operations and assets, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Federal Agency 
Data Protection Act''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Purpose.
Sec. 3. Definition of personally identifiable information.
Sec. 4. Authority of Director of Office of Management and Budget to 
                            establish information security policies and 
                            procedures.
Sec. 5. Responsibilities of Federal agencies for information security.
Sec. 6. Protection of government computers from risks of peer-to-peer 
                            file sharing.
Sec. 7. Annual independent audit.
Sec. 8. Privacy impact assessment of Federal agency use of commercial 
                            information services containing personal 
                            information.
Sec. 9. Prohibition on certain contracts with data brokers.
Sec. 10. Authorization of appropriations.
Sec. 11. Implementation.

SEC. 2. PURPOSE.

    The purpose of this Act is to protect personally identifiable 
information of individuals that is maintained in or transmitted by 
Federal agency information systems.

SEC. 3. DEFINITION OF PERSONALLY IDENTIFIABLE INFORMATION.

    Section 3542(b) of title 44, United States Code, is amended by 
adding at the end the following new paragraph:
            ``(4) The term `personally identifiable information', with 
        respect to an individual, means any information about the 
        individual maintained by an agency, including information--
                    ``(A) about the individual's education, finances, 
                or medical, criminal, or employment history;
                    ``(B) that can be used to distinguish or trace the 
                individual's identity, including name, social security 
                number, date and place of birth, mother's maiden name, 
                or biometric records; or
                    ``(C) that is linked or linkable to the 
                individual.''.

SEC. 4. AUTHORITY OF DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET TO 
              ESTABLISH INFORMATION SECURITY POLICIES AND PROCEDURES.

    Section 3543(a) of title 44, United States Code, is amended--
            (1) by striking ``and'' at the end of paragraph (7);
            (2) in paragraph (8)--
                    (A) by striking ``and'' at the end of subparagraph 
                (D);
                    (B) by striking the period and inserting ``; and'' 
                at the end of subparagraph (E); and
                    (C) by adding at the end the following new 
                subparagraph:
                    ``(F) a summary of the breaches of information 
                security reported by agencies to the Director and the 
                Federal information security incident center pursuant 
                to paragraph (10);''; and
            (3) by adding at the end the following:
            ``(9) establishing minimum requirements regarding the 
        protection of information maintained in or transmitted by 
        mobile digital devices, including--
                    ``(A) requirements for the protection of personally 
                identifiable information; and
                    ``(B) requirements for--
                            ``(i) the encryption of such information 
                        consistent with standards promulgated under 
                        section 11331 of title 40; or
                            ``(ii) the use of other commercially 
                        available technologies that efficiently and 
                        effectively render information unusable by 
                        unauthorized persons;
            ``(10) establishing minimum requirements regarding agency 
        action following a breach of information security resulting in 
        the disclosure of personally identifiable information, 
        including requirements for--
                    ``(A) timely agency reporting of such breach to the 
                Director and the Federal information security incident 
                center required under section 3546; and
                    ``(B) timely agency notification to individuals 
                whose personally identifiable information may have been 
                compromised or accessed during such breach, based on 
                government-wide risk categories established by the 
                Director after consultation with agencies and the 
                public that include exemptions from notification 
                requirements where such information can be reasonably 
                determined to be unusable by unauthorized persons; and
            ``(11) requiring agencies to comply with minimally 
        acceptable system configuration requirements consistent with 
        best practices, including checklists developed under section 
        8(c) of the Cyber Security Research and Development Act (Public 
        Law 107-305; 116 Stat. 2378) by the Director of the National 
        Institute of Standards and Technology.''.

SEC. 5. RESPONSIBILITIES OF FEDERAL AGENCIES FOR INFORMATION SECURITY.

    Section 3544(b) of title 44, United States Code, is amended--
            (1) in paragraph (2)(D)(iii), by striking ``as determined 
        by the agency'' and inserting ``as required by the Director 
        under section 3543(a)(11)'';
            (2) by striking ``and'' at the end of paragraph (7);
            (3) by striking the period at the end of paragraph (8) and 
        inserting ``; and''; and
            (4) by adding at the end the following:
            ``(9) plans and procedures for ensuring the adequacy of 
        information security protections for systems maintaining or 
        transmitting personally identifiable information, including 
        requirements for--
                    ``(A) maintaining a current inventory of systems 
                maintaining or transmitting such information;
                    ``(B) implementing information security 
                requirements for mobile digital devices maintaining or 
                transmitting such information, as required by the 
                Director (including encryption or the use of other 
                commercially available technologies rendering data 
                unusable by unauthorized persons);
                    ``(C) timely reporting of information security 
                breaches involving such information to the Director and 
                the Federal information security incident center 
                required under section 3546;
                    ``(D) timely notification to individuals whose 
                personally identifiable information may have been 
                compromised or accessed during an information security 
                breach, consistent with policies and procedures issued 
                by the Director; and
                    ``(E) developing, implementing, and overseeing 
                remediation plans to address vulnerabilities in 
                information security protections for such 
                information.''.

SEC. 6. PROTECTION OF GOVERNMENT COMPUTERS FROM RISKS OF PEER-TO-PEER 
              FILE SHARING.

    (a) Plans Required.--As part of the Federal agency responsibilities 
set forth in sections 3544 and 3545 of title 44, United States Code, 
the head of each agency shall develop and implement a plan to protect 
the security and privacy of computers and networks of the Federal 
Government from the risks posed by peer-to-peer file sharing.
    (b) Contents of Plans.--Such plans shall set forth appropriate 
methods, including both technological (such as the use of software and 
hardware) and nontechnological methods (such as employee policies and 
user training), to achieve the goal of protecting the security and 
privacy of computers and networks of the Federal Government from the 
risks posed by peer-to-peer file sharing.
    (c) Implementation of Plans.--The head of each agency shall--
            (1) develop and implement the plan required under this 
        section as expeditiously as possible, but in no event later 
        than six months after the date of the enactment of this Act; 
        and
            (2) review and revise the plan periodically as necessary.
    (d) Review of Plans.--Not later than 18 months after the date of 
the enactment of this Act, the Comptroller General shall--
            (1) review the adequacy of the agency plans required by 
        this section; and
            (2) submit to the Committee on Government Reform of the 
        House of Representatives and the Committee on Governmental 
        Affairs of the Senate a report on the results of the review, 
        together with any recommendations the Comptroller General 
        considers appropriate.
    (e) Definitions.--In this section:
            (1) Peer-to-peer file sharing.--The term ``peer-to-peer 
        file sharing'' means the use of computer software, other than 
        computer and network operating systems, that has as its primary 
        function the capability to allow the computer on which such 
        software is used to designate files available for transmission 
        to another computer using such software, to transmit files 
        directly to another such computer, and to request the 
        transmission of files from another such computer. The term does 
        not include the use of such software for file sharing between, 
        among, or within Federal, State, or local government agencies.
            (2) Agency.--The term ``agency'' has the meaning provided 
        by section 3502 of title 44, United States Code.

SEC. 7. ANNUAL INDEPENDENT AUDIT.

    (a) Requirement for Audit Instead of Evaluation.--Section 3545 of 
title 44, United States Code, is amended--
            (1) in the section heading, by striking ``evaluation'' and 
        inserting ``audit'' ; and
            (2) in paragraphs (1) and (2) of subsection (a), by 
        striking ``evaluation'' and inserting ``audit'' both places it 
        appears.
    (b) Additional Specific Requirements for Audits.--Section 3545(a) 
of such title is amended--
            (1) in paragraph (2)(A), by striking ``subset of the 
        agency's information systems;'' and inserting the following: 
        ``subset of--
                            ``(i) the information systems used or 
                        operated by the agency; and
                            ``(ii) the information systems used, 
                        operated, or supported on behalf of the agency 
                        by a contractor of the agency, any 
                        subcontractor (at any tier) of such a 
                        contractor, or any other entity;''; and
            (2) by adding at the end the following new paragraph:
    ``(3) Each audit under this section shall conform to generally 
accepted government auditing standards.''.
    (c) Conforming Amendments.--
            (1) Each of the following provisions of section 3545 of 
        title 44, United States Code, is amended by striking 
        ``evaluation'' and inserting ``audit'' each place it appears:
                    (A) Subsection (b)(1).
                    (B) Subsection (b)(2).
                    (C) Subsection (c).
                    (D) Subsection (e)(1).
                    (E) Subsection (e)(2).
            (2) Section 3545(d) of such title is amended by striking 
        ``the evaluation required by this section'' and inserting ``the 
        audit required by this section''.
            (3) Section 3545(f) of such title is amended by striking 
        ``evaluators'' and inserting ``auditors''.
            (4) Section 3545(g)(1) of such title is amended by striking 
        ``evaluations'' and inserting ``audits''.
            (5) Section 3545(g)(3) of such title is amended by striking 
        ``Evaluations'' and inserting ``Audits''.
            (6) Section 3543(a)(8)(A) of such title is amended by 
        striking ``evaluations'' and inserting ``audits''.
            (7) Section 3544(b)(5)(B) of such title is amended by 
        striking ``evaluation'' and inserting ``audit''.

SEC. 8. PRIVACY IMPACT ASSESSMENT OF FEDERAL AGENCY USE OF COMMERCIAL 
              INFORMATION SERVICES CONTAINING PERSONAL INFORMATION.

    (a) In General.--Section 208(b)(1)(A) of the E-Government Act of 
2002 (44 U.S.C. 3501 note) is amended--
            (1) by striking ``or'' at the end of clause (i); and
            (2) in clause (ii), by striking the period at the end of 
        subclause (II) and inserting ``; or''; and
            (3) by inserting after clause (ii) the following:
                            ``(iii) purchasing or subscribing for a fee 
                        to information in identifiable form from a data 
                        broker.''.
    (b) Definitions.--Section 208(d) of such Act (44 U.S.C. 3501 note) 
is amended to read as follows:
    ``(d) Definitions.--In this section:
            ``(1) Identifiable form.--The term `identifiable form' 
        means any representation of information that permits the 
        identity of an individual to whom the information applies to be 
        reasonably inferred by either direct or indirect means.
            ``(2) Data broker.--The term `data broker' means a business 
        entity that, for monetary fees or dues, regularly engages in 
        the practice of collecting, transmitting, or providing access 
        to sensitive information in identifiable form on more than 
        5,000 individuals who are not the customers or employees of 
        that business entity or affiliate primarily for the purposes of 
        providing such information to nonaffiliated third parties on an 
        interstate basis.''.
    (c) Study.--Not later than 2 years after the date of the enactment 
of this Act, the Comptroller General of the United States shall submit 
a report to the Congress regarding Federal agency compliance with the 
requirements established by the amendments made by this section.

SEC. 9. PROHIBITION ON CERTAIN CONTRACTS WITH DATA BROKERS.

    Section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note) 
is amended--
            (1) by redesignating subsection (d) as subsection (e); and
            (2) by inserting after subsection (c) the following:
    ``(d) Prohibition on Certain Contracts With Data Brokers.--
            ``(1) Prohibition.--Notwithstanding any other provision of 
        law, beginning 1 year after the date of the enactment of this 
        subsection, no Federal agency may enter into a contract with a 
        data broker, or issue a task or delivery order under a contract 
        with a data broker, to access for a fee any database consisting 
        primarily of information in identifiable form concerning United 
        States persons (other than a database consisting of news 
        reporting or telephone directories) unless the head of such 
        agency implements the requirements specified in paragraph (2).
            ``(2) Requirements.--For purposes of paragraph (1), the 
        requirements specified in this paragraph are the following:
                    ``(A) Completion of privacy impact assessment.--
                With respect to any database proposed to be accessed, 
                the head of the agency shall complete a privacy impact 
                assessment under this section. The assessment shall, 
                subject to the provisions in this section pertaining to 
                sensitive information, include a description of--
                            ``(i) such database;
                            ``(ii) the name of the data broker from 
                        which it is proposed to be obtained; and
                            ``(iii) the amount of the contract or task 
                        or delivery order proposed to be entered into 
                        or issued.
                    ``(B) Promulgation of regulations.--The head of the 
                agency shall promulgate regulations that specify--
                            ``(i) the personnel permitted to access, 
                        analyze, or otherwise use databases of the type 
                        described in paragraph (1);
                            ``(ii) standards governing the access, 
                        analysis, or use of such databases;
                            ``(iii) any standards used to ensure that 
                        the information in identifiable form accessed, 
                        analyzed, or used is the minimum necessary to 
                        accomplish the intended legitimate purpose of 
                        the Federal agency;
                            ``(iv) standards limiting the retention and 
                        redisclosure of information in identifiable 
                        form obtained from such databases;
                            ``(v) procedures ensuring that such data 
                        meet standards of accuracy, relevance, 
                        completeness, and timeliness;
                            ``(vi) the auditing and security measures 
                        to protect against unauthorized access, 
                        analysis, use, or modification of data in such 
                        databases;
                            ``(vii) applicable mechanisms by which 
                        individuals may secure timely redress for any 
                        adverse consequences wrongly incurred due to 
                        the access, analysis, or use of such databases;
                            ``(viii) mechanisms, if any, for the 
                        enforcement and independent oversight of 
                        existing or planned procedures, policies, or 
                        guidelines; and
                            ``(ix) an outline of enforcement mechanisms 
                        for accountability to protect individuals and 
                        the public against unlawful or illegitimate 
                        access or use of databases.
                    ``(C) Inclusion of penalties and other requirements 
                in larger contracts.--With respect to any contract or 
                task or delivery order proposed to be entered into or 
                issued in an amount greater than $500,000, the head of 
                the agency shall include in the contract or order the 
                following provisions:
                            ``(i) Provisions providing for penalties--
                                    ``(I) for failure to implement a 
                                comprehensive personal data privacy and 
                                security program that includes 
                                administrative, technical, and physical 
                                safeguards appropriate to the size and 
                                complexity of the business entity and 
                                the nature and scope of its activities; 
                                or
                                    ``(II) for the provision to the 
                                Federal agency of inaccurate 
                                information in identifiable form, if 
                                the entity knows or has reason to know 
                                that the information being provided is 
                                inaccurate.
                            ``(ii) Provisions requiring a data broker 
                        that retains service providers for 
                        responsibilities related to information in 
                        identifiable form to--
                                    ``(I) exercise appropriate due 
                                diligence in selecting those service 
                                providers for responsibilities related 
                                to such information;
                                    ``(II) take reasonable steps to 
                                select and retain service providers 
                                that are capable of maintaining 
                                appropriate safeguards for the 
                                security, privacy, and integrity of 
                                such information; and
                                    ``(III) require such service 
                                providers, by contract, to implement a 
                                comprehensive personal data privacy and 
                                security program that includes 
                                administrative, technical, and physical 
                                safeguards appropriate to the size and 
                                complexity of the business entity and 
                                the nature and scope of its activities.
            ``(3) Limitation on penalties.--The penalties under 
        paragraph (2)(C)(i) shall not apply to a data broker providing 
        information in identifiable form that is accurately and 
        completely recorded from a public record source.''.

SEC. 10. AUTHORIZATION OF APPROPRIATIONS.

    Section 3548 of title 44, United States Code, is amended by 
striking ``2007'' and inserting ``2012''.

SEC. 11. IMPLEMENTATION.

    Except as otherwise specifically provided in this Act, 
implementation of this Act and the amendments made by this Act shall 
begin not later than 90 days after the date of the enactment of this 
Act.
                                 <all>