b'<html>\n<title> - STATE OF FEDERAL PRIVACY AND DATA SECURITY LAW: LAGGING BEHIND THE TIMES?</title>\n<body><pre>[Senate Hearing 112-662]\n[From the U.S. Government Publishing Office]\n\n\n\n                                                        S. Hrg. 112-662\n\n \n  STATE OF FEDERAL PRIVACY AND DATA SECURITY LAW: LAGGING BEHIND THE \n                                 TIMES?\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  OVERSIGHT OF GOVERNMENT MANAGEMENT,\n                     THE FEDERAL WORKFORCE, AND THE\n                   DISTRICT OF COLUMBIA SUBCOMMITTEE\n\n                                 of the\n\n                              COMMITTEE ON\n                         HOMELAND SECURITY AND\n                          GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 31, 2012\n\n                               __________\n\n         Available via the World Wide Web: http://www.fdsys.gov\n\n       Printed for the use of the Committee on Homeland Security\n                        and Governmental Affairs\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n76-066                    WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ddbaadb29dbea8aea9b5b8b1adf3beb2b0f3">[email&#160;protected]</a>  \n\n\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine\nDANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma\nTHOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts\nMARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona\nMARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin\nCLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio\nJON TESTER, Montana                  RAND PAUL, Kentucky\nMARK BEGICH, Alaska                  JERRY MORAN, Kansas\n\n                  Michael L. Alexander, Staff Director\n               Nicholas A. Rossi, Minority Staff Director\n                  Trina Driessnack Tyrer, Chief Clerk\n            Joyce Ward, Publications Clerk and GPO Detailee\n\n\n  OVERSIGHT OF GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE \n                   DISTRICT OF COLUMBIA SUBCOMMITTEE\n\n                   DANIEL K. AKAKA, Hawaii, Chairman\nCARL LEVIN, Michigan                 RON JOHNSON, Wisconsin\nMARY L. LANDRIEU, Louisiana          TOM COBURN, Oklahoma\nMARK BEGICH, Alaska                  JERRY MORAN, Kansas\n\n                       Eric M. Tamarkin, Counsel\n               Rachel R. Weaver, Minority Staff Director\n                      Lauren Corcoran, Chief Clerk\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statement:\n                                                                   Page\n    Senator Akaka................................................     1\n    Senator Johnson..............................................     3\nPrepared statement:\n    Senator Akaka................................................    35\n    Senator Carper...............................................    37\n\n                               WITNESSES\n                         Tuesday, July 31, 2012\n\nMary Ellen Callahan, Chief Privacy Officer, U.S. Department of \n  Homeland Security..............................................     4\nGreg Long, Executive Director, Federal Retirement Thrift \n  Investment Board...............................................     6\nGreg C. Wilshusen, Director, Information Security Issues, U.S. \n  Accountability Office..........................................     8\nPeter Swire, C. William O\'Neill Professor of Law at Ohio State \n  University.....................................................    19\nChris Calabrese, Legislative Counsel, American Civil Liberties \n  Union..........................................................    21\nPaul Rosenzweig, Visiting Fellow, Heritage Foundation............    23\n\n                     Alphabetical List of Witnesses\n\nCalabrese, Chris:\n    Testimony....................................................    21\n    Prepared statement...........................................    84\nCallahan, Mary Ellen:\n    Testimony....................................................     4\n    Prepared statement...........................................    38\nLong, Greg:\n    Testimony....................................................     6\n    Prepared statement...........................................    46\nRosenzweig, Paul:\n    Testimony....................................................    23\n    Prepared statement...........................................    99\nSwire, Peter:\n    Testimony....................................................    19\n    Prepared statement...........................................    69\nWilshusen, Greg C.:\n    Testimony....................................................     8\n    Prepared statement...........................................    52\n\n                                APPENDIX\n\nQuestions and responses for the Record from:\n    Ms. Callahan.................................................   117\n    Mr. Long.....................................................   119\n    Mr. Wilshusen................................................   124\n    Mr. Swire....................................................   126\n    Mr. Calabrese................................................   127\n    Mr. Rosenzweig...............................................   131\n\n\n  STATE OF FEDERAL PRIVACY AND DATA SECURITY LAW: LAGGING BEHIND THE \n                                 TIME?\n\n                              ----------                              \n\n\n                         TUESDAY, JULY 31, 2012\n\n                                 U.S. Senate,      \n              Subcommittee on Oversight of Government      \n                     Management, the Federal Workforce,    \n                            and the District of Columbia,  \n                      of the Committee on Homeland Security\n                                        and Governmental Affairs,  \n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 10:03 a.m., in \nRoom SD-628, Dirksen Senate Office Building, Hon. Daniel K. \nAkaka, Chairman of the Subcommittee, presiding.\n    Present: Senators Akaka and Johnson.\n\n               OPENING STATEMENT OF SENATOR AKAKA\n\n    Senator Akaka. I call this hearing of the Subcommittee on \nOversight of Government Management, the Federal Workforce, and \nthe District of Columbia to order.\n    I want to say Aloha and welcome our guests and all those \nwho are here and interested in this hearing, and I just want to \nthank all of you for being here.\n    Today, the Subcommittee will examine the foundation for our \nFederal privacy and data security laws. Unfortunately, key \npieces of this foundation have serious cracks that need to be \nfixed.\n    The Privacy Act, a cornerstone of Federal privacy \nprotection, was enacted way back in 1974 to respond to the \nincreasing ease of collecting and storing personal information \nin computer databases. It governs how the Federal Government \ngathers, shares, and protects Americans\' personal information.\n    Despite dramatic technological change over the last four \ndecades, much of the Privacy Act remains stuck in the 1970s. \nMany of the definitions in the Act are simply out of date and \ndo not make sense in the current data environment. As a result, \nthe Act is difficult to interpret and apply, and it provides \ninconsistent protection to the massive amount of personal \ninformation in the hands of the government. I want to highlight \na few specific concerns.\n    Earlier this year, the Supreme Court restricted Privacy Act \nremedies. In Federal Aviation Administration v. Cooper, the \nSocial Security Administration violated the Privacy Act by \nsharing the plaintiff\'s HIV status with other Federal agencies. \nThe Court concluded that he could not be compensated for \nemotional distress, because Privacy Act damages are limited to \neconomic harm. By many experts\' accounts, this decision \nrendered the Act toothless, and scholars across the political \nspectrum have called for Congress to amend the Privacy Act to \nfix this decision.\n    Additionally, agencies frequently use private sector \ndatabases for law enforcement and other purposes that affect \nindividuals\' rights. This is not covered by Federal privacy \nlaws, which creates a loophole that allows agencies to avoid \nprivacy requirements. We should require privacy impact \nassessments (PIA) on agencies\' use of commercial sources of \nAmericans\' private information. This would provide basic \ntransparency of the use of commercial databases so that \nindividuals have appropriate protections such as access, \nnotice, correction, and purpose limitations.\n    Strong Executive Branch leadership is also essential to \neffectively enforcing the privacy protections we do now have. \nOver time, Congress has statutorily required Chief Privacy \nOfficers (CPOs) in many agencies across the Federal Government, \nand the Office of Management and Budget (OMB) mandated in 1999 \nthat all agencies designate a senior privacy official to assume \nresponsibility for privacy policy. My Privacy Officer With \nEnhanced Rights (POWER) Act--included in the Implementing \nRecommendations of the 9/11 Commission Act of 2007--\nstrengthened the authorities of the Department of Homeland \nSecurity (DHS) Chief Privacy Officer, and I would say with \npositive results.\n    Despite OMB\'s mandate to oversee privacy policies \ngovernmentwide, it has not named a chief privacy official since \nthe Clinton Administration. As a result, responsibility for \nprotecting privacy is fragmented and agencies\' compliance with \nprivacy requirements is inconsistent.\n    Widespread agency data breaches, and inconsistent responses \nwhen they occur, are symptoms of this problem. We all remember \nthe massive data breach at the Department of Veterans Affairs \nin May 2006 where the personal information of more than 26 \nmillion veterans and active duty members of the military was \nexposed. After that breach, OMB issued guidance requiring \nagencies to strengthen safeguards for personal information and \nimplement data breach notification policies. But implementation \nof the guidance has been uneven, and the number of Federal data \nbreaches has only grown.\n    Recently, a contractor to the Federal Retirement Thrift \nInvestment Board (FRTIB) was the subject of a cyber attack that \ncompromised the personal information of over 123,000 \nparticipants in the Thrift Savings Plan (TSP). This included 43 \ncurrent and former Members of Congress. I was one of them. I \nwas concerned to learn that the Board had not followed the 2007 \nOMB guidance and did not have a data breach notification policy \nin place when they learned of the breach. I am working with the \nGovernment Accountability Office (GAO) to determine how many \nother agencies have not followed this guidance and determine \nwhether there is sufficient oversight of agencies that have \ncomplied.\n    This builds on the substantial work GAO has completed in \nresponse to my nine previous requests on privacy and data \nsecurity. I have also worked closely with GAO in drafting my \nPrivacy Act Modernization for the Information Age Act, S. 1732, \nwhich would make the OMB guidance mandatory for agencies and \nfix many of the other cracks in the privacy and data security \nfoundation.\n    Promoting privacy and civil liberties has been a priority \nduring my tenure in the U.S. Senate, and I will continue \nfocusing on this issue until the end of the year. I hope my \ncolleagues will join me in two current efforts to address the \nproblems raised at this hearing: S. 1732 and my amendment to \nthe cybersecurity bill we are currently considering on the \nfloor. Protecting Americans\' privacy is a bipartisan issue that \nI hope my colleagues will continue to advance in the years to \ncome.\n    And so, I would like to call on my brother here for any \nopening statement that he may have. Senator Johnson.\n\n              OPENING STATEMENT OF SENATOR JOHNSON\n\n    Senator Johnson. Thank you, Mr. Chairman, witnesses. I want \nto thank you for taking time and not only being here today but \nalso for preparing your thoughtful testimony.\n    Aloha. Mr. Chairman, before I start, I am not quite sure \nwhether we are going to have another hearing. We may, but in \ncase we do not, I just want to say what a pleasure it has been \nserving with you as your Ranking Member on the Subcommittee.\n    I mean, you are a kind, gentle, honorable soul; and for \nsomebody new to the Senate, this is a very nice start for me to \nbe able to serve with someone like you. So, it has really been \na pleasure. I just wanted to say that.\n    I want to thank you for having this hearing. I think this \nis very timely. The full Senate now is taking up the \ncybersecurity bill. One of the primary issues that we are \nhaving to deal with is the privacy aspect, and all the effects \nof cybersecurity, trying to maintain security within our \nInternet network, certainly privacy is a real consideration \nthere. It is a serious issue. It is an important issue. It is \nalso highly complex.\n    Back in February I read a book review in the Wall Street \nJournal on a book called Abundance by Peter Dimandis and Steven \nKotler, and just to put the issue in perspective how complex \nthis is, I just want to start reading the very beginning of \nthis book review.\n    It says, ``If every image made and every word written from \nthe earliest string of civilization to the year 2003 were \nconverted to digital information, the total would come to five \nexabytes.\'\'\n    We cannot even comprehend what an exabyte is. It is one \nfollowed by 18 zeros. So again, everything from the dawn of \ncivilization to the year 2003, five exabytes. From the year \n2003 to 2010, we were producing five exabytes of information \nevery 2 days. Next year the authors project that we will be \nproducing five exabytes of information every 10 minutes.\n    So, in the age of Facebook and Google where people are \nvoluntarily and willingly providing all kinds of information to \nprivate companies, I think we really have to ask some very \nserious questions.\n    With technology advancing at such a rapid rate, certainly \nthe types of questions I will be asking in this hearing are \ngoing to be pretty basic. I am new here. I was not around in \n1974 when the Privacy Act was, I was around but not here, when \nit was enacted.\n    So, I am just going to be asking basic questions about what \nwas the purpose of that, what is the purpose moving forward, \nhow do we grapple with just this exponential growth in \ninformation and the serious threat to our cyber networks of \nattack from criminals, from foreign sources, and we need to \ntake a look at what the purpose, what the cost and benefit of \ngovernmental actions, and is there potentially a better way.\n    So, that will kind of be the thrust of my questions. I am \nreally looking forward to the testimony. Again, it is very \ntimely and, Mr. Chairman, I again want to thank you for holding \nthe hearing.\n    Senator Akaka. Thank you very much, Senator Johnson.\n    Now, I would like to welcome our witnesses to the hearing \nin the first panel. Ms. Mary Ellen Callahan, Chief Privacy \nOfficer, at the Department of Homeland Security.\n    I know today is your last day at DHS. So, I want to thank \nyou so much for your service and what you have brought to that \nparticular office of Chief Privacy Officer, and we have so much \nto learn from you and your experiences that you have had thus \nfar.\n    I appreciate your outstanding leadership on privacy and \nreally wish you the best of luck in your future endeavors. \nThank you so much for your service.\n    Mr. Greg Long, Executive Director of the Federal Retirement \nThrift Investment Board, and Mr. Greg Wilshusen, Director, \nInformation Security Issues at the U.S. Government \nAccountability Office.\n    As you know, it is the custom of the Subcommittee to swear \nin all witnesses. So, will you please rise and raise your right \nhand.\n    Do you solemnly swear that the testimony you are about to \ngive this Subcommittee is the truth, the whole truth, and \nnothing but the truth so help you, God.\n    Ms. Callahan. I do.\n    Mr. Long. I do.\n    Mr. Wilshusen. I do.\n    Senator Akaka. Thank you.\n    Let it be noted in the record that the witnesses answered \nin the affirmative.\n    Before we start, I want you to know that your full written \nstatement will be made a part of the record. I would also like \nto remind you to please limit your oral remarks to about 5 \nminutes.\n    Ms. Callahan, will you please proceed with your statement.\n\n  TESTIMONY OF MARY ELLEN CALLAHAN,\\1\\ CHIEF PRIVACY OFFICER, \n              U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Callahan. Thank you very much, sir. Good morning, \nChairman Akaka, Ranking Member Johnson.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Callahan appears in the appendix \non page 38.\n---------------------------------------------------------------------------\n    Thank you for the opportunity to appear before you today to \ndiscuss my role as the Department of Homeland Security\'s Chief \nPrivacy Officer, the Privacy Act, and the collaborative \nachievements of the Privacy Committee of the Federal Chief \nInformation Officers Council.\n    As you know, the Department of Homeland Security is the \nfirst department in the Federal Government to have a \nstatutorily mandated privacy officer, and for that I am \neternally grateful. I have had the privilege of serving in that \nrole since March 2009. The Homeland Security Act and the POWER \nAct grants the Chief Privacy Officer the primary responsibility \nfor ensuring that privacy considerations and protections are \ncomprehensively integrated into all DHS programs, policies, and \nprocedures.\n    I also ensure that personal information contained in \nPrivacy Act system of record is handled in full compliance with \nfair information practices. Many of my authorities are similar \nto those of Federal Chief Privacy Officers; but I am unique, \nhowever, in that my statutory mandate includes the authority to \ninvestigate department programs and operations.\n    During my tenure, I have led three major investigations of \nsignificant non-compliance with departmental privacy policy. \nConsistent with the office\'s unique position as both an adviser \nand an oversight body for the Department\'s privacy sensitive \nprograms and systems, I recently approved the creation of a \nprivacy oversight group within the DHS privacy office.\n    In addition to conducting investigations, the privacy \noversight team has instituted a series of privacy compliance \nreviews to improve a program\'s ability to comply with privacy \nassurances.\n    One specific example of my office\'s privacy efforts is the \nresponse to the OMB guidance on safeguarding personally \nidentifying information (PII). OMB guidance required agencies \nto develop and implement a policy on breach notifications which \nin DHS refers to as privacy incidents. In September 2007 and \nthen updated again in early 2012, the DHS privacy office \ndistributed its Privacy Incident Handling Guidance throughout \nthe Department to inform employees of their responsibilities to \nsafeguard PII. The guidance provides detailed information on \nhow to handle all stages of privacy incidents.\n    To ensure that staff are cognizant of PII protections, we \nalso recently updated our annual online training which is \nmandatory for all DHS employees and contractors.\n    One of the topics of this hearing today is the Privacy Act \nof 1974. The Privacy Act was passed in an era before electronic \ncommunications and databases were the norms in Federal \nagencies.\n    Nonetheless, many of the concepts embedded in the original \nAct are flexible enough to permit similar records to be treated \nconsistently regardless of where they are located.\n    One method to address modern challenges of implementing the \nPrivacy Act is to share best practices among Federal privacy \nofficials. Formal council-level bodies exist for many Federal \nchief officers. There is no formal council-level body that \nexists for Chief Privacy Officers. I am, however, proud to \nserve as the co-chair of the privacy committee of the Chief \nInformation Officer (CIO) Council. The privacy committee was \ninitially formed in response to the need to coordinate on \nshared challenges such as information sharing and protection of \npersonally identifiable information.\n    Since its formal establishment in 2009, the committee has \nsuccessfully functioned as a consensus-based forum for the \ndevelopment of privacy policy and protections throughout the \nFederal Government and is thoroughly integrated into the \ntechnology initiatives occurring within the Federal CIO \nCouncil. It provides an important venue in which to share \nexperiences, training, innovative approaches, and best \npractices. The committee has also led the development of \nprivacy standards and safeguards for emerging technologies such \nas cloud computing and social media.\n    In addition, the privacy committee this year has gathered \nthe uniform resource locators (URLs) or the Web sites for all \nthe privacy impact assessments and system of records notices \nfor each of the 55 participating Federal agencies. That list of \nprivacy impact assessments and systems of records notice are \navailable on CIO.com. The achievements of the privacy committee \nindicate the vital role it serves in promoting consistent \nFederal privacy policy, and it has been an honor to serve as \none of the committee\'s co-chairs.\n    The men and women who serve in the privacy offices \nthroughout the Federal Government are really unsung heroes. \nLocated in various parts of organizational structures, they \nstrive every day to apply the spirit and the law of the Privacy \nAct, the E-Gov Act and related privacy laws and policies.\n    It has been my pleasure to serve with these colleagues as \ntheir co-chair for the last 3\\1/2\\ years. I want to acknowledge \nall the hard work that they have performed throughout my \nFederal service.\n    Going forward, I am confident the Department will continue \nto embed privacy protections throughout its programs and \nservices. I am happy to answer any of your questions. Thank \nyou, sir.\n    Senator Akaka. Thank you very much, Ms. Callahan.\n    Mr. Long, will you please proceed with your statement.\n\n    TESTIMONY OF GREG LONG,\\1\\ EXECUTIVE DIRECTOR, FEDERAL \n               RETIREMENT THRIFT INVESTMENT BOARD\n\n    Mr. Long. Good morning, Chairman Akaka and Members of the \nSubcommittee. My name is Greg Long and I am the Executive \nDirector of the Federal Retirement Thrift Investment Board. The \nfive members of the Board and I serve as fiduciaries of the \nThrift Saving Plan. As fiduciaries, the law directs that we act \nsolely in the interest of the TSP participants and \nbeneficiaries and exclusively for the purpose of providing them \nwith benefits. Because of this fiduciary duty, Congress \nafforded the FRTIB significant independence. The FRTIB does not \nreceive appropriated funds for its operations. We are funded \nthrough participant monies and our budget is not subject to \nreview or approval by Congress or the President.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Long appears in the appendix on \npage 46.\n---------------------------------------------------------------------------\n    The TSP maintains individual accounts for more than 4.5 \nmillion Federal and Postal, members of the uniformed services, \nretirees, and spousal beneficiaries. As of June 30, the TSP \nheld approximately $313 billion in retirement savings.\n    I have been asked to discuss a number of issues, including \nthe cyber attack that resulted in the unauthorized access of \nthe personally identifiable information of roughly 123,000 TSP \nparticipants and payees. In July 2011, a desktop computer used \nby an employee of Serco, an agency contractor, was subjected to \na sophisticated cyber attack. Neither Serco nor the FRTIB was \naware of the attack at the time it occurred.\n    In April 2012, the Federal Bureau of Investigation (FBI) \nnotified Serco that the they had discovered data that appeared \nto be stolen from Serco. Serco then notified us of the cyber \nattack. At that time, it was unclear whether agency data had \nbeen accessed.\n    On April 13, we determined that personally identifiable \ninformation of TSP participants had been compromised. Within 1 \nhour, we notified U.S. Computer Emergency Readiness Team (U.S. \nCERT).\n    The FRTIB and Serco then worked to analyze numerous files \nto determine what data was accessed and which participants were \naffected.\n    On May 20, an independent verification and validation \nconcluded that the various files that had been correctly \nanalyzed.\n    On May 25, 5 days after the validated list was produced, we \nnotified affected participants about the cyber attack. My \nagency sent letters to each affected participant notifying them \nof the cyber attack and offering them one year of free identity \ntheft consultation, restoration, and continuous credit \nmonitoring.\n    I would like to emphasize the fact that this cyber attack \nwas made on our contractor\'s network. Neither the FRTIB\'s \nnetwork nor the TSP participant Web site were affected.\n    As the fiduciary for a plan charged with protecting the \nretirement savings, data security and privacy protection are \npriorities for us. Over the past decade, the FRTIB has \nundertaken a significant number of changes to its \ninfrastructure and established information technology (IT) \ntechnical controls to improve our IT security posture.\n    In addition to those information technology improvements, \nthe FRTIB has successfully added new services for its \nparticipants. Most recently in May, we rolled out the Roth TSP \noption which allows for after-tax contributions to the TSP.\n    Many of these changes added significant complexity to the \nplan. The need to implement these new funds and services, in \nlarge part, mandated how we assigned our personnel and \nallocated funding. For example, rolling out the Roth TSP \ninitiative was a 2-year project that required staffing from \nevery office within the Agency.\n    The FRTIB has security controls in place. Completing all of \nthe documentation and accreditation that is required in the \nFederal Information Security Management Act (FISMA), however, \nis an on-going area of focus for our Agency.\n    In September 2011, I approved an Enterprise Information \nSecurity and Risk Management (EISRM) Directive. Last month, I \napproved policies covering 18 families of management, \noperational, and technical security controls.\n    To ensure that our privacy and data security policies are \nappropriate, I have commissioned a ``Tiger Team\'\' to develop a \nplan to improve the security posture of agency information \nsystems.\n    Mr. Chairman and Members of the Subcommittee, helping \npeople retire with dignity is what drives the employees of the \nFRTIB. I deeply regret the cyber attack and the concern that it \nhas caused our participants.\n    I want to assure all of our participants that we will \ncontinue to pursue all new avenues to ensure the safety and \nsecurity of their personal data and their retirement funds.\n    I would be pleased to take any questions.\n    Senator Akaka. Thank you very much, Mr. Long.\n    Now, we will have a statement of Mr. Wilshusen. Will you \nplease proceed.\n\n   TESTIMONY OF GREG C. WILSHUSEN,\\1\\ DIRECTOR, INFORMATION \n     SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Chairman Akaka, Ranking Member Johnson, \nthank you for the opportunity to testify at today\'s hearing on \nthe State of Federal privacy and data security laws.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Wilshusen appears in the appendix \non page 52.\n---------------------------------------------------------------------------\n    Two key laws, the Privacy Act and E-Government Act are \nintended to protect the privacy of Americans personal \ninformation and to specify measures that Federal agencies can \ntake to reduce the risk of data breaches.\n    The increasingly sophisticated ways in which personal \ninformation is obtained and used by the Federal Government has \nthe potential to assist in performing critical functions such \nas helping to detect and prevent terrorist threats and \nenhancing online interactions with citizens. But, they can also \npose challenges in ensuring the protection of citizens privacy.\n    Today, I will describe the impact of recent technology \ndevelopments on key laws for privacy protection and actions \nagencies can take to protect against and respond to data \nbreaches involving personal information.\n    But, first, if I may, Mr. Chairman, I would like to \nrecognize several colleagues of mine who were instrumental in \ndeveloping my statement and who work very well in this area.\n    Behind me is John de Ferrari and David Plocher; and also \nJeff Woodward, Lee McCracken, and Melina Asencio made \nsignificant contributions to this effort.\n    Senator Akaka. Thank you.\n    Mr. Wilshusen. Mr. Chairman, technological advances since \nthe Privacy Act became law in 1974 have radically changed the \nway information is organized and shared among organizations and \nindividuals.\n    Federal agencies use social media services, data mining, \nelectronic databases, and other technologies to collect, use, \nand maintain personally identifiable information.\n    These advances have rendered some of the provisions of the \nPrivacy Act and E-Government Act inadequate to fully protect \nall personal information collected, used, and maintained by the \nFederal Government.\n    For example, we identified issues associated with applying \nprivacy protections consistently to all Federal collection and \nuse of personal information, limiting the collection and use of \nthis information to stated purposes, and establishing effective \nmechanisms for informing the public about privacy protections.\n    Accordingly, we suggested that Congress consider amending \nthe Privacy Act and E-Government Act to address these issues. \nDoing so could provide a number of benefits including: Ensuring \nthat privacy protections are applied consistently to all \nFederal collection and use of personal information; providing a \nproper balance between allowing government agencies to collect \nand use such information and limiting that collection and use \nto what is necessary and relevant; and providing individuals \nwith pertinent information about what personal data are to be \ncollected, how they are to be used, and the circumstances under \nwhich they may be shared.\n    Mr. Chairman, as you know, much of the personal information \ncollected and maintained by Federal agencies is processed and \nstored on computerized systems and networks. Yet, these systems \nand networks often do not provide sufficient security \nsafeguards to protect this information.\n    To assist agencies in protecting information, we have \nreported that they should assess the privacy implications of a \nplanned information system or data collections prior to \nimplementation; implement a robust information security \nprogram; and limit the collection of personal information, the \ntime it is retained, and who has access to it.\n    Nevertheless, Federal systems remain vulnerable and data \nbreaches do occur. The number of security incidents reported by \nFederal agencies involving personally identifiable information \nhas risen from about 13,000 in the year 2010 to over 15,500 in \n2011, an increase of 19 percent.\n    Thus, it is important that proper response policies and \nprocedures be in place. Notifying individuals affected by data \nbreaches has clear benefits such as allowing people to take \nsteps to protect themselves from identity theft.\n    Such notification is consistent with agency\'s \nresponsibilities to inform individuals about how their \ninformation is being accessed and used and it promotes \naccountability for privacy protection.\n    In summary, Mr. Chairman, ensuring the privacy and security \nof personal information collected by the Federal Government \nremains a challenge, particularly in light of the increasing \ndependence on networked computer systems that can store, \nprocess, and transfer vast amounts of data.\n    Updating Federal laws and guidance to reflect current \npractices for collecting and using personal information will be \nkey to meeting this challenge as is the need for agencies to \neffectively implement data security controls and privacy \nprotections.\n    Without sufficient attention to these matters, American\'s \npersonal information will remain at risk.\n    Chairman Akaka, Ranking Member Johnson, this concludes my \nstatement. I will be happy to answer any questions.\n    Senator Akaka. Thank you very much for your statement.\n    Mr. Long, you testified that the Board did not have a \nbreach notification plan in place at the time of the cyber \nattack because of insufficient resources.\n    The Board has also informed Committee staff that it does \nnot consider itself bound by the OMB guidance because the Board \nis an independent entity and it decides on a case-by-case basis \nwhich OMB guidance to follow.\n    Please discuss your view on whether the guidance applies to \nthe Board as well as whether you would expect any differences \nin the Board\'s approach going forward.\n    Mr. Long. Senator, thank you very much.\n    The OMB guidance has been very useful through the data \nbreach event and the cyber attack. We did not have a breach \nnotification policy in place. We review every piece of OMB \nguidance that comes to us, and we look at it to determine \nwhether there is anything within that guidance that conflicts \nwith my status and the Board status as a fiduciary. As a \nfiduciary, we have to act solely in the interest of the \nparticipants and beneficiaries.\n    In this case that guidance followed best practices. It was \nthe right thing to do. We reviewed it and it is one of the \nitems that we decided to get to.\n    However, and I regret that this happened but we did not \nhave the breach notification policy in place at the time that \nthe cyber attack occurred.\n    However, in responding to the cyber attack that guidance \nwas followed, and it was very useful in crafting our message \nand determining the process that we eventually went through.\n    Senator Akaka. Thank you for that.\n    As you know, I have offered an amendment to the \ncybersecurity bill we are debating on the floor to make breach \nnotification mandatory. I think it is really critical to make \ncertain agencies prioritize this before a breach occurs. We \nhope that can be done in that way.\n    Mr. Wilshusen, in my view, agency privacy officers have \nbeen critical to focusing attention and providing leadership on \nprivacy issues. I advocated the first statutory CPO at DHS and \nI have been pleased that this position was expanded to other \nagencies.\n    There have been several proposals over the years to create \na Chief Privacy Officer at OMB to manage privacy policy across \nthe government. What do you see as the potential benefits of \ndesignating a CPO for the Federal Government as a whole?\n    Mr. Wilshusen. Well, first, I would say that it would \ncertainly raise the profile of privacy within the Federal \nGovernment and the importance of implementing privacy \nprotections throughout the agencies.\n    In addition, the position could also provide advice to \nothers within the Executive Office (EO) of the President as \nwell as help coordinate privacy issues across Federal agencies, \neven potentially helping to monitor the implementation of \nprivacy controls and privacy protections at the Federal \nagencies and report on them appropriately.\n    Senator Akaka. Thank you.\n    This question is for Ms. Callahan and Mr. Wilshusen. As you \nknow, the recent STOCK Act requires, among other things, that \nthe financial disclosure forms of approximately 20,000 senior \nExecutive Branch employees be posted online, which will make \nthem available to anyone worldwide with Internet access.\n    I think government transparency is critical but publishing \nemployees\' personal financial information on the Internet does \nraise some concerns.\n    So, my question to both of you is: Do you feel this is an \nunnecessary invasion of employee privacy?\n    Ms. Callahan. I guess I will go first.\n    Thank you, Mr. Chairman. The STOCK Act has required that \nthe financial disclosures that were required for a series of \nindividuals, both senior status as well as political \nappointees, not only be available under a Freedom of \nInformation Act (FOIA) which it always has been but to be \navailable electronically online in a searchable fashion.\n    First, the privacy committee that I spoke about earlier \nactually has been trying to figure out some governmentwide \nguidance on how to address these issues and how to advise the \n20 some thousand individuals whose information is impacted. We \nhave had a lot of informal conversations with ethics councils \nand so on.\n    As a privacy advocate, I am concerned and I believe there \nmay be some privacy considerations in two fashions. One is the \npotential of identity theft, and we talk about data breaches \nand how to protect our information and how to preserve the \ninformation.\n    The information that is provided on that form, even if all \nof the Social Securities and other sensitive information has \nbeen removed, still paints a very detailed picture of an \nindividual that would be available for somebody to look at and \nto investigate.\n    So, not only is identity theft a possibility but theft in \ngeneral could be a possibility if you notice the types of \nassets and the protections therein. I also worry about the \nchilling effect that it could have on employees or potential \nemployees in the Federal service.\n    With that said, as the privacy officer with the privacy \ncommittee, we have tried to put in as many protections and give \nas much advice as we can in order to respond to this recent \nrequirement.\n    Senator Akaka. Thank you. Mr. Wilshusen.\n    Mr. Wilshusen. I would just say I also understand the need \nto balance government transparency and how government \noperations are conducted and by whom. But at the same time, the \ninformation that is being posted is quite personal in nature. \nSo there are certainly privacy risks and those risks need to be \nbalanced, as has been decided against the need for open \ntransparency.\n    But GAO has not looked at this issue specifically so I \ncannot really comment much beyond that.\n    Senator Akaka. Thank you very much and thanks for those \nresponses.\n    I also want to note that a number of influential homeland \nsecurity and intelligence community officials recently wrote to \nCongress that this requirement will create significant national \nsecurity threats and could place certain Federal employees and \ntheir families in harms way.\n    I think it is important to look closely at these issues and \nmake any changes that are needed to protect our national \nsecurity and employee safety.\n    Mr. Wilshusen and Ms. Callahan, I have been disappointed \nthat the Privacy and Civil Liberties Oversight Board (PCLOB) \nhas been dormant for so long.\n    Peter Swire, who will be testifying on the second panel, \nhas argued that the most important short-term action the Senate \ncan take on privacy is to confirm the five nominees for the \nBoard.\n    Do you agree with Mr. Swire\'s assessment? Mr. Wilshusen.\n    Mr. Wilshusen. I would say we have not looked at that \nparticular issue as part of my work so I cannot comment.\n    Ms. Callahan. As the Chief Privacy Officer at the \nDepartment of Homeland Security, the statute requires that we \nwork with the PCLOB; and at DHS and throughout the Federal \nGovernment, the Chief Privacy Officers are very much looking \nforward to working with the Board once it is confirmed.\n    Senator Akaka. Thank you very much.\n    Senator Johnson, your questions.\n    Senator Johnson. Thank you, Mr. Chairman.\n    First of all, Ms. Callahan, I also want to thank you for \nyour service and certainly wish you well in your next endeavor. \nAs the co-chair of the privacy committee, let us just kind of \nstart out. I would like to get your assessment of the range of \nprivacy practices and controls throughout the different \nagencies.\n    Can you just kind of comment on that?\n    Ms. Callahan. Certainly, sir. Thank you very much.\n    As noted in my oral testimony, there are privacy officers \nthroughout the Federal Government. They are in different places \nthroughout the Federal Government logistically, \norganizationally within the Departments.\n    I have been very fortunate to report directly to the \nSecretary thanks to the Homeland Security Act, and I think that \nhas inured not only to my benefit but to the Department\'s \nbenefit.\n    Federal Chief Privacy Officers are in different places \nreporting to different positions, whether it be the general \ncounsel, the chief information officer, the chief financial \nofficer; and I worry that consistency and organizational \nstructure may lead to more inefficiencies in terms of trying to \naddress privacy considerations.\n    With that said, the work of the privacy committee and the \nwork of these individuals is really yeoman\'s work in that they \nare working every day to integrate the privacy elements. It \njust depends on where they are in the organizational structure \nthey have more success or less.\n    Senator Johnson. Would you say the range in terms of \nuniformity of privacy standards is primarily related to what? I \nmean, would you say how high profile the privacy officer is in \nrelationship to the Secretary or are there other factors at \nplay?\n    Ms. Callahan. I think that is a factor. I think that the \nculture of the agency or Department may also be a factor. There \nalso may be a factor in the sense that if they had a privacy \nconsideration or a problem before that may have heightened the \nprivacy considerations.\n    The chairman mentioned the Veterans\' Affairs Committee and \nthe Veterans\' Affairs Committee CIO is actually one of my co-\nchairs on the privacy committee to kind of have that nexus \nbetween technology and privacy.\n    Senator Johnson. Do you think that probably the best way of \ngetting uniformity is really through the privacy committee \nthen? Is that working well? Do you have any other suggestions \non that?\n    Ms. Callahan. I certainly think that has helped a lot and \nthat has helped leverage best practices, also to leverage \nresources. DHS is the most well-resourced privacy office and \nagain thank you for that.\n    To go and use our work to try to go across the less funded \nagencies, as I said, we have 55 members who are participating \nincluding, obviously, independent agencies, and I think that \nhas been very useful.\n    The attention that privacy gets, including this hearing, I \nthink will be very beneficial.\n    Senator Johnson. This might be kind of a hard question but \ncan you name the top two or three agencies in terms of privacy \ncompliance and maybe name two or three that really give you \nconcern or not, probably not?\n    Ms. Callahan. Well, the No. 1 is obviously the Department \nof Homeland Security. [Laughter.]\n    Beyond that, it probably does not behoove me even on my \nlast day to comment.\n    Senator Johnson. Maybe privately you can give it to us.\n    Ms. Callahan. I would be happy to, sir.\n    Senator Johnson. Mr. Long, can you give me some sense of \nyour evaluation of how good these standards are for cyber \nprotection, let us say, in your agency and maybe even \ngeneralize it throughout the Federal Government in comparison \nto the private sector?\n    Mr. Long. I can comment certainly on our agency. One of the \nactions that we have been very busy with over the past decade \nhas been to focus on IT improvements and architecture and \ntechnical controls.\n    So, we undertook a significant modernization effort in \nterms of hardening our server environment. We made sure that we \nhad protection built into our new capabilities--that has been a \nbig focus on what we do going forward.\n    That said, we certainly have to focus on the FISMA \ndocumentation that is required. Even with all of this, we know \nthat there are sophisticated attackers out there. We have been \na victim. Our contractor was the victim and we felt the effects \nof that attack.\n    So, we need to go back and re-double our efforts and that \nis exactly one of the efforts that we are going through right \nnow. We have felt that we have focused on IT security but this \nis a wake-up call and we are going to look at it and look at it \nclosely.\n    Senator Johnson. Who do you rely on in terms of advising \nand trying to set up your IT security?\n    Mr. Long. We have internally our chief technology officer. \nWe will focus on the chief technology person as well as the \nchief information security officer that reports to the head of \ntechnology.\n    We recently established an office that reports directly to \nme for enterprise risk management. In addition, we will reach \nout to the third-party providers of services and now we are \nactually reaching out to DHS to figure out whether we can learn \nthings from different councils and then through other \ngovernment bodies.\n    Senator Johnson. Are you finding DHS to be very helpful \nfrom that standpoint? I mean, is that a really good core group \nto go to or would you be better off going to potentially other \nagencies that may have, I mean, do you have a clue in terms of \nwhich agencies are hardened in terms of cybersecurity? Which \nones lead the way?\n    Mr. Long. In terms of our outreach to DHS prior to this \nevent and to other agencies, it was limited. We certainly \nparticipated on the small agency counsel. We participated on \nmultiple groups, the chief information security council.\n    So, we would rely on small government groups on an ad hoc \nbasis. Now, as reaction to a cyber attack on our vendors \nnetwork, we are now trying to figure out how we can formalize \nthat better, whether it is through DHS or other groups within \nthe government.\n    And then second, in forming a team to look at these issues, \nto figure out whether we need to go to third-party, private \ninstitutions to assist us with remediation and best practices \non technology.\n    Senator Johnson. OK. Thank you. I am almost out of time.\n    Are we going to do a second round?\n    Senator Akaka. Yes.\n    Senator Johnson. OK. I will wait.\n    Senator Akaka. Thank you very much, Senator Johnson.\n    Ms. Callahan, I am interested in hearing more about your \nexperience as the only Chief Privacy Officer with the \nstrengthened investigative authorities granted by the 9-11 \nCommission Act of 2007.\n    In my view, extending these authorities to DHS was \ncritical, given the Department\'s broad homeland security \nauthorities, but I believe these investigative powers also \ncould provide an important check against abuses in other \nagencies.\n    So, my question has two parts. Will you please elaborate on \nhow your work has benefited from these authorities and also \ndiscuss whether you believe they should be extended to Chief \nPrivacy Officers across the government?\n    Ms. Callahan. Thank you, sir.\n    My investigatory authority has benefited my position in the \nDepartment quite a lot. As I mentioned earlier, the \ninvestigatory authority kind of helps me have the life cycle of \nprivacy compliance in terms of how we announce what we are \ngoing to do beforehand, how we go and have the privacy \ncompliance reviewed to make sure that our assurances are, \nindeed, consistent with what we have done, and if we have had a \ndeviation, that we have the ability to have the investigation \nto go and look at what went wrong and how we can help \nameliorate it and mitigate it for the entire Department.\n    I have had three major investigations of Department \nnoncompliance with privacy policy. In each of those, it was not \njust a data breach, although a data breach was involved in at \nleast one of them.\n    But, it was more of a systemic circumstance where the \nDepartment as a whole could learn from it, and I will use as an \nexample, my first investigation was actually of the Inspector \nGeneral (IG) which I took a slight bit of glee about.\n    But what had happened was the Inspector General using \nfinancial information for their financial audits that are \nrequired, their contractor used an unencrypted Universal Serial \nBus (USB) drive and passed it among each other because the DHS \nsystem was too hard to use and to utilize. So, they had it as \nkind of the team USB drive. That had information from the U.S. \nImmigration and Customs Enforcement (ICE), the United States \nCitizenship and Immigration Services (USCIS), the Customs and \nBorder Protection (CBP) and other components on it because it \nwas part of the financial concerns.\n    The USB drive was lost; and so, the Inspector General, \nconsistent with his authority, did the fact-finding of what \nhappened and kind of the facts associated therein.\n    I then applied a privacy analysis to the circumstances, to \nthe noncompliance with DHS policy and also looked at avenues \nand ways for recommendations for the entire Department to \nameliorate both the contractor use of DHS information but also \nwhen people hold other component information, what is the data \nbreach process, what is the notification process, and the \nmitigation process. And, I think that was a successful example \nof using my investigatory authority to help further the goals \nof the Department.\n    Relatedly, I had an investigation associated with social \nmedia use which has then resulted in the management directive \non the operational use of social media for the entire \nDepartment.\n    And, I think that those are good examples. Investigations \nare a significant resource drain but at the same time they \nreally help to shape the direction of the Department, and I \nthink that my office and the Department and its maturation in \nprivacy policy has benefited extraordinarily from that process.\n    Senator Akaka. Thank you.\n    Mr. Long, you testified that Serco, a contractor that \nassists TSP with recordkeeping was the subject of the cyber \nattack that we are discussing today.\n    How do you intend to work with current and future \ncontractors to ensure that TSP personal information is properly \nsecured?\n    Mr. Long. Senator, thank you.\n    The contract in question, the one with Serco, is actually \ncurrently in the process of being designed for rebid. So, we \nhave put out a public announcement a couple of months ago. We \nare in the process of designing the procurement action. We \nanticipate rolling that out on the street by the end of this \ncalendar year and then awarding it the next fiscal year.\n    That contract, I can assure you, will have very stringent \nIT security restrictions built into it.\n    Senator Akaka. Further, do you think Serco will continue to \nprovide recordkeeping services for TSP in the future?\n    Mr. Long. I anticipate that it will be a full and open \ncompetition. We are seeking robust competition from all \nparties.\n    Senator Akaka. Yes.\n    Mr. Long, you testified that TSP has an extraordinary \nrecord retention burden. I agree that some data breaches could \nbe prevented by limiting the time agencies retain personal \ninformation.\n    Will you please elaborate further on your recommendation?\n    Mr. Long. Yes. One of the comments that I think you see \ngoing through the testimony is a recommendation on limiting the \ntime that personally identifiable information is retained and \nthat relates to one of the recommendations that we made in that \ncurrently the statute that governs what we do at FRTIB does not \ncontain a statute of limitations for judicial review of a claim \nfor benefits brought by a TSP participant or beneficiary.\n    This is an indefinite exposure to potential litigation for \nan unlimited period of time even after a participant takes all \ntheir accounts and is gone for years.\n    Therefore, we have advocated for a statute of limitations \nthat would limit the amount of time the benefits claim is open, \ntherefore, limiting the amount of time we would have to retain \npersonally identifiable information. A 5-year statute of \nlimitations is what we recommend and that is typically longer \nthan what is generally seen within other Employee Retirement \nIncome Security Act (ERISA), 401(k) plan type designs.\n    Senator Akaka. Thank you.\n    My last question. Mr. Wilshusen, you testified that the \nPrivacy Act is ineffective in informing the public about \nprivacy practices and policies.\n    For example, system of records notices published in the \nFederal Register often are difficult to find and to understand. \nWill you please elaborate on why establishing a centralized \nFederal Government privacy Web site as proposed in my bill, S. \n1732, will help address this concern?\n    Mr. Wilshusen. Well, I think because it will provide a \ncentral location and one that is readily accessible. If it is \non a Web site that users and the public can access in order to \nfind information about the Systems of Records Notices (SORNs) \nor PIAs as well as other privacy protections that are available \nto information that is collected and used by the Federal \nGovernment that will be certainly helpful in meeting the \nopenness principle as well as the notification of government \nactivities for the public.\n    Senator Akaka. Thank you very much. Senator Johnson.\n    Senator Johnson. Thank you, Mr. Chairman.\n    Mr. Wilshusen, you testified about the concept of limiting \nthe information the Federal Government obtains and basically \nlimiting the time that it is kept.\n    Can you elaborate on that point?\n    Mr. Wilshusen. Well, certainly. If Federal agencies are \ncollecting personally identifiable information for a stated \npurpose, once that purpose has been achieved, if they continue \nto retain that information indefinitely for no other particular \nuse, then potentially if appropriate security controls are not \nplaced over that information, it could be subject to risk of \nunauthorized disclosure to someone who might be able to break \ninto their systems or gain access to that information.\n    So, the principle is just for as long as you need the \ninformation, keep it, protect it. Once that need no longer \nexists, then get rid of it, delete it, subject to Federal \nrecords retention schedules.\n    Senator Johnson. Does any agency in the Federal Government \nemploy that practice right now?\n    Mr. Wilshusen. I think probably in certain circumstances \nthey might. I know, for example, that OMB had a requirement, in \nterms of safeguarding personally identifiable information, that \nif personal information is placed on agency laptop computers \nwhich are then taken out of the building and the agency \ndetermines that it no longer needs that information on those \nlaptops, then it needs to delete it within 30 days.\n    To the extent that is being implemented and followed is \nsomething we have not expressly examined to date.\n    Senator Johnson. Ms. Callahan, picking up on that same \npoint, in your privacy committee is this something that is \nbeing discussed.\n    Ms. Callahan. In the privacy committee, we are not \ndiscussing necessarily retention periods. We are having that \nconversation more intra-department in terms of looking at how \nlong we retain information and what is the nexus between the \ndifferent data retention periods and how do they impact both \nour mission but also the other information that is collected.\n    Mr. Wilshusen mentioned if there is an extract of \ninformation and put on a laptop or a USB drive, hopefully an \nencrypted one, we do have requirements associated with that.\n    But, that is just an extract of the information. The \ndatabase at large, we are governed by the data retention \nperiods. We do look at them every time the Department of \nHomeland Security does the statutorily required biennial review \nof SORNs to make sure the retention period should remain, and \nwe do consider those issues as we renew the SORNs.\n    Senator Johnson. Are there within agencies, though, are \nthere actually processes for deleting information?\n    Ms. Callahan. Oh, I am sorry. There are processes for \ndeleting information before the period, before the retention \nperiod is up.\n    Officials are often reticent to do that for two reasons. \nOne because they already have an approved retention period from \nthe National Archives and you do not want to go counter to \nthat.\n    The second, there is also the question about whether or not \nit affects operations if you delete information on a more \nsubjective standard as Mr. Wilshusen had argued. That is a \ndiscussion within the privacy community a lot in terms of what \nis the proper retention period. As I said, within the \nDepartment we have those conversations frequently.\n    Senator Johnson. You just used a word that I want to try \nand pick up and question you about. Counter. How many different \nrules, regulations, laws in the Federal Government run counter \nto each other when it comes to privacy?\n    I realize that is a really large question. But, do you have \na relatively succinct answer for that or can you hit on that?\n    Ms. Callahan. I think the tension is that the goal of the \nprivacy officer is to support the missions and to support \nprivacy, and retention is one element of that. I think all of \nthe fair information practice principles are ones that you have \nto analyze.\n    And so, I think that, if you look at statutes throughout \nthe government, the Privacy Act, 40 years old, has some \nelements that may be logically inconsistent with some of the \nother more recent statutes. Yes.\n    Senator Johnson. Let us go to the other elements that Mr. \nWilshusen had talked about in terms of limiting the \ninformation. Is there any kind of robust effort, or any effort, \nongoing in any agency about really taking a look at what \ninformation is really required so we do not ask for more than \nwe really need?\n    Ms. Callahan. I can answer that question for the Department \nof Homeland Security which is, yes, we are looking into ways to \nnot collect the same information over and over from the same \npeople if we do not have to.\n    One of the things that surprised me when I came to the \nDepartment was how we had a lot of the same information in 47 \nor however many different databases and the databases were not \nnecessarily federated or integrated with each other. That could \nhave privacy risks in and of itself because you have different \npeople logging on. You may not have auditing accountability.\n    We are working within the Department to find an \ninfrastructure that will allow us to be more efficient, more \neffective, maybe collect less information from the public, and \nI think that they may all cheer for that, but also to have a \nsystem that has more privacy controls and more privacy \nprotections in terms of a way to have the databases interact.\n    So, we are thinking about it in the fledgling stages but \nthat is definitely something that I think the Department is \ngoing to move forward with.\n    Senator Johnson. Mr. Wilshusen, we are debating a \ncybersecurity bill which, depending upon how it all turns out, \nmight impose certain requirements, regulations on the private \nsector.\n    I just kind of want to get your feel in terms of the \ngovernment\'s ability to meet those same types of standards. I \nrealize that is very difficult to answer because we really do \nnot know what those standards might be.\n    But can you just in general speak to the level of technical \ncompetency within most agencies, how broad that technical \ncompetency is versus the private sector?\n    Mr. Wilshusen. I would be glad to. We do quite a bit of \nwork examining the information security controls at Federal \nagencies, and we look at it from different levels. One, across \nthe Federal Government in terms of how agencies are reporting \nthe implementation of the various different controls as part of \nthe FISMA reporting process.\n    As part of GAO\'s responsibility to audit the government \nconsolidated financial statements, we work with the agency\'s \nIGs to assess the effectiveness of their controls in protecting \ninformation security controls over the financial information.\n    Then, we do other tests of agency\'s information security \ncontrols as requested by Members of Congress. We have been \nreporting that Federal information security has been a high \nrisk area, a governmentwide high risk area since 1997.\n    Just most recently, the work that we have done and in \nreviewing the work also of the IGs, the majority of the 24 \nmajor CFO Act agencies have weaknesses in most of the \ninformation security controls that we review.\n    And, these would include access controls or those controls \nare designed to restrict, limit, and detect unauthorized access \nto resources as well as other security management programs and \ntheir procedures for managing the configurations of their \ndevices.\n    By and large most of those agencies have weaknesses in \nthose areas.\n    Senator Johnson. Just one quick followup.\n    Can you access or make an evaluation in terms of the \ncompetency between the Federal Government and those agencies in \nthe private sector? Because you are going to see the weaknesses \nin the private sector as well.\n    Mr. Wilshusen. In the few instances where we have examined \nthe security controls at private sector organizations that are \nperforming services for the Federal Government, we have found \nthe same types of security weaknesses in those systems as we do \nin the Federal systems.\n    Senator Johnson. OK. Thank you very much.\n    Senator Akaka. Thank you very much, Senator Johnson.\n    I want to thank our first panel very much for your \nresponses, your statements, and your valuable offering here. I \nwould like to wish you well in your work and hope we can \ncontinue to work together on privacy and security issues as \nwell.\n    So, thank you very much for being here.\n    I would ask that our second panel come forward. I want to \nwelcome our second panel.\n    Mr. Peter Swire, C. William O\'Neill Professor of Law at \nOhio State University. Mr. Swire had a previous engagement in \nSeattle, Washington, he will be testifying by teleconference \nthis morning.\n    Mr. Chris Calabrese, Legislative Counsel at the American \nCivil Liberties Union (ACLU). And, Mr. Paul Rosenzweig, who is \na visiting fellow at the Heritage Foundation. Thank you all so \nmuch for being here.\n    As you know, it is the custom of this Subcommittee to swear \nin all witnesses. So, will you please rise and raise your right \nhand.\n    Do you swear that the testimony you are about to give this \nSubcommittee is the truth, the whole truth, and nothing but the \ntruth so help you, God?\n    Mr. Swire. I do.\n    Mr. Calabrese. I do.\n    Mr. Rosenzweig. I do.\n    Senator Akaka. Thank you very much all of you.\n    Let it be noted for the record that the witnesses have \nanswered in the affirmative.\n    Before we start, I want to remind you that your full \nwritten statements will be a part of the record. We ask you to \nplease limit your oral remarks to 5 minutes.\n    Mr. Swire, please proceed with your statement.\n\n TESTIMONY OF PETER SWIRE,\\1\\ C. WILLIAM O\'NEILL PROFESSOR OF \n                  LAW AT OHIO STATE UNIVERSITY\n\n    Mr. Swire. Mr. Chairman, and Ranking Member Johnson, thank \nyou for asking me to testify here today for this hearing on \nFederal privacy, and thank you also letting me testify \nremotely. I was unable to be in Washington today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Swire appears in the appendix on \npage 69.\n---------------------------------------------------------------------------\n    I would like to congratulate Mary Ellen Callahan for her \nservice at DHS and the leadership she has shown to the Federal \nagency privacy community over time.\n    In this testimony, there are a lot of issues we could talk \nabout. I am going to briefly talk about four issues.\n    Chairman Akaka, as you said, I think that the Senate should \npromptly confirm the five nominees for the Federal Privacy and \nCivil Liberties Oversight Board. This is the most important \nshort-term action the Senate can take on privacy.\n    With the cybersecurity legislation, we are going to have \npotentially a lot more information sharing and the PCLOB is the \nway to have the oversight to go with that. All five nominees \nfor the PCLOB have been voted out of the Judiciary Committee \nand all five have been supported by the 9/11 commission \ncochairs, Kean and Hamilton.\n    There were some dissenting votes in the Committee for the \nproposed chairman, David Medine. He is an outstanding nominee. \nHe was a senior civil servant at the Federal Trade Commission \n(FTC) on privacy for many years. He has done work at the law \nfirm of WilmerHale with compliance. He really has a workable \nrealistic sense of things.\n    It is important to confirm the chairman as a part of the \nslate because only the chairman can hire staff by statute. So, \nunless we confirm the full slate, we will not have an oversight \nBoard.\n    The second topic I am going to discuss is the idea of \nhaving a Federal Chief Privacy Officer. Senator Akaka in S. \n1732 would create this by statute.\n    I had a role similar to that when I was chief counselor for \nprivacy in the Office of Management and Budget under President \nClinton and that has not been repeated as a position.\n    I think such a position has three advantages. It can \ncoordinate across agencies, and new issues come up all the time \nas we were hearing. Here is one example. Drones is an issue \nthat hits the Federal Aviation Administration (FAA) but up \nuntil now drones have not had to deal with privacy; but if they \ncome through out the U.S. airspace, we have new privacy issues \nand we should have a sort of coordinated Federal response to \nthe privacy issues there.\n    Second, a Federal Chief Privacy Officer could help with \nclearance across agencies so we have coordinated policy. And \nthird, increasingly there are international issues, transborder \nissues for privacy, and so having that work correctly overseas \nis, I think, very important.\n    In doing this, I think it helps to have a statute. We have \nseen the DHS have the outstanding agency privacy activities in \nlarge part because your Committee put that into the statute and \nhas supported the position that Mary Allen Callahan has been \nin. And I think that without a statute, it is easy for OMB not \nto move forward and really create the office.\n    My testimony suggests that the Chief Privacy Officer might \ntake the lead on nonclassified information systems whereas the \nPCLOB perhaps would take the lead on oversight for classified \ninformation systems.\n    So, the third point I would like to get to is some \nloopholes in the Privacy Act as written. And, the proposed S. \n1732 correctly recognizes there is a loophole in the Privacy \nAct for the definition of system of records.\n    The current definition applies only to records that are \nretrieved by name; but with modern search engines, we often \nretrieve things in lots of other ways and then turned up the \nnames.\n    So, the proposed amendment would close the loophole and it \nwould have the effect of requiring a much greater number of \nsystem of record notices for Federal agencies.\n    In my view having more of these SORNs, would create \ncompliance burdens for agencies but not necessarily give us the \nbiggest pay off in terms of privacy.\n    So, my testimony suggests a more promising approach might \nbe to improve the privacy impact assessments under the E-Gov \nAct. For instance, we could post these PIAs to a unified Web \nsite. We could have public comments on the PIAs, and agencies \ncould be required to respond to these public comments and I \nthink this might be a more effective way to put attention on \nthe most important privacy related systems.\n    The fourth in my four points is that the oversight process \nfor this Committee could focus more attention on the line \nbetween what is identified and de-identified data in Federal \nagencies.\n    De-identification is a way where we can get uses from the \ndata. We can look for patterns and all of that but still have \nprivacy protection. Recently, the Federal Trade Commission has \nproposed a promising approach for de-identifying data for the \nprivate sector.\n    I think we can learn from that initiative, and also I will \nbe working with the future privacy forum this year on a project \non how to do de-identified data better.\n    So, in conclusion, I thank the Committee for the service of \ndrawing attention back to these issues of Federal agency \nprivacy policies and I look forward to trying to help with any \nquestions. Thank you.\n    Senator Akaka. Thank you very much, Mr. Swire.\n    Mr. Calabrese, would you please proceed with your \nstatement.\n\nTESTIMONY OF CHRISTOPHER R. CALABRESE,\\1\\ LEGISLATIVE COUNSEL, \n                 AMERICAN CIVIL LIBERTIES UNION\n\n    Mr. Calabrese. Good afternoon, Chairman Akaka, Ranking \nMember Johnson. Thank you for the opportunity to testify on \nbehalf of the American Civil Liberties Union on the Privacy \nAct, a landmark statute that now requires a major update from \nCongress.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Calabrese appears in the appendix \non page 84.\n---------------------------------------------------------------------------\n    The Privacy Act lays out citizens rights and Federal agency \nresponsibilities for the handling of personal information. The \nAct controls when records can be collected and how they can be \ndisclosed, provides notice and mandates agencies keep secure, \naccurate, and accessible records.\n    But, the Act has always had some major loopholes and has \nbecome even more outdated over time. Agencies often sidestep \naccess, accuracy, and relevance requirements by taking the many \npermissible exceptions under the Privacy Act. They also avoid \nthe Privacy Act\'s prohibitions on disclosure by labeling any \nand all sharing as routine.\n    Additionally, the Act only protects systems of records when \nan agency retrieves information about a specific individual or \ninformation tied to that individual. Hence, it does not apply \nto techniques such as data mining which use pattern-based \nsearches not tied to an individual.\n    Finally, the Federal Government often uses commercial \ndatabases which frequently contain incorrect information and \nare outside the protections of the Privacy Act.\n    Major steps toward fixing these problems can be found in \nSenator Akaka\'s legislation.\n    As we have heard, agency notice when personal information \nis lost or stalled in is a serious and ongoing problem. The \nACLU believes that existing OMB guidance is inadequate. It \ngives far too much discretion to individual agencies as to \nwhether to disclose these embarrassing breaches.\n    The Supreme Court has also weakened the remedies under the \nAct. In a case called FAA v. Cooper, decided in March, the \ncourt held that when an agency disclosed an individual\'s HIV \nstatus, he could not recover damages for mental or emotional \ndistress the matter how severe because he did not suffer \nfinancial harm as a result of the violation.\n    This decision is particularly harmful because the damage \nfrom privacy disclosures is often an embarrassment, anxiety, \nand emotional distress, precisely what the court forecloses.\n    Finally, despite improvements from some agencies, oversight \nremains inadequate. This reality is as we have heard troubled \ntimes already embodied by the PCLOB, which is tasked with \nmonitoring agency information sharing practices related to \nterrorism.\n    As we have heard, it existed in its current form since 2007 \nbut a full slate of nominees was not put forward by either \nPresident Bush or President Obama until late last year and the \nBoard is still vacant.\n    Significant misuse of personal information has resulted \nfrom these erosions of Federal privacy protections. The most \nrecent example of this trend is the sweeping changes the \nNational Counterterrorism Center (NCTC), made to its guidelines \non the collection and use of information about U.S. persons not \nsuspected of wrongdoing.\n    Previously, NCTC discarded information on U.S. persons not \nconnected to terrorism within 180 days. However, under its new \nguidelines, NCTC keeps this information for up to 5 years.\n    This collection may be happening as a so-called routine use \nunder the Privacy Act. This change, along with others affecting \nhow NCTC analyzes and shares information, now allows the agency \nto perform searches on people with no connection to terrorism \nand shares the results for a wide variety of purposes with \nalmost anyone.\n    By fully exploiting loopholes in the Privacy Act, NCTC can \nturn the vast power of the U.S. intelligence community on \ninnocent Americans. Using personal information for different \npurposes, and sharing it broadly are precisely the type of harm \nthe Privacy Act was enacted to prevent.\n    The Federal Government collects an enormous amount of \npersonal information so people can receive benefits and \nservices, exercise fundamental rights like voting or \npetitioning the government, getting licenses for everything \nfrom purchasing a handgun to businesses and industry, for \nemployment, education, and for many types of health care.\n    This information collection is nearly ubiquitous in \nAmerican life. None of this would have been a surprise in 1974. \nAccording to the congressional findings from the Privacy Act, \nthe use of information technology can greatly magnify the harm \nto the individual; and so, in order to protect privacy, it is \nnecessary and proper for the Congress to regulate the \ncollection, maintenance, use, and dissemination of information \nby such agencies.\n    Congress must once again take up that duty and protect \npersonal information on all of us by updating the Privacy Act. \nThank you.\n    Senator Akaka. Thank you very much Mr. Calabrese for your \nstatements.\n    Mr. Rosenzweig, please proceed with your statement.\n\n  TESTIMONY OF PAUL ROSENZWEIG,\\1\\ VISITING FELLOW, HERITAGE \n                           FOUNDATION\n\n    Mr. Rosenzweig. Thank you very much, Mr. Chairman, Senator \nJohnson. I appreciate the opportunity to be with you today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Rosenzweig appears in the \nappendix on page 99.\n---------------------------------------------------------------------------\n    I take a very different perspective, I think, on the \nPrivacy Act. I think I share the view of almost everybody who \nhas spoken that the Privacy Act is outdated. Any act that was \npassed at a time when the personal computer did not exist \ncannot hope to match the current technological structures we \nhave.\n    Where I think I differ is in thinking that we can fiddle \naround at the edges with modifications and extensions of older \nconceptions. To my mind, the technological revolution is so \ngreat that it is really time for a wholesale \nreconceptualization of what the Privacy Act is and how we deal \nwith privacy.\n    We stand at the cusp of a technological revolution, indeed, \nnot at the cusp but in the midst of it. We are not just doing \nexabytes but yottabyte and zettabytes of data every day, all of \nit in unstructured formats, but that is being matched by \nmassive increases both in processing capacity and data storage \ncapacity that allow people to make sense of this data in new \nand different ways.\n    The new sense making that we are doing is of great value. \nIt is of value commercially to people who want to sell things; \nbut as relevant to this Committee, it is of value to the \ngovernment. It is of value to the government in \ncounterterrorism and in law enforcement.\n    It brings with it acknowledgedly the threat that it may \nalso be put to purposes which we would not want the government \nto do, things like targeting people because of their political \nbeliefs or something like that but we can no longer maintain \nthe artificial categories of use distinctions, purpose \ndistinctions, data retention rules that are being destroyed \nessentially by the technological changes that are happening \naround us.\n    We retained data in the NCTC for an increased amount of \ntime not because we want to target America\'s political beliefs \nbut because we have come to learn that we cannot predict today \nhow much value there will be in this information 5 years from \nnow and what particular pieces of information will be of value \nto, say, a new terrorist investigation.\n    We have seen in counterterrorism investigations, at least \nwhen I was in the Department 5 years ago, data searches that go \nback 8, 10, 12 years. This is the type of reality that we must \ndeal with while at the same time recognizing that there is the \nthreat of misuse.\n    To my mind, the best way to ensure the privacy of citizens \nin America today, the reasonable privacy of citizens, is to no \nlonger tie our conceptions to older technological constructs of \nword searches by name or by date.\n    Rather, we should focus instead on use and purpose \nlimitations that are inconsistent with those current \ncapabilities and the threat environment.\n    We should better focus the privacy rules on what I think \nare, and I will admit this, much more difficult questions of \ndefining what is and is not an appropriate consequence that can \nbe imposed from the use of data, that is, structuring when we \ncan take that data and impose an adverse consequence on an \nAmerican citizen.\n    That requires a much finer degree of analysis at the back \nend rather than categorical imperatives at the front end: use \nonly for this purpose, keep only for this long, when you \ncannot, in any way, define those in advance with any degree of \nclarity.\n    To my mind, while many of the improvements that are \nproposed for the Privacy Act will certainly work marginal \nincreases in the benefits that we would gain to privacy in the \nsystem, in the end they are going to be overtaken by technology \nand we will wind up, if we do not take this task on, with a \ngovernment use of data analytics and a privacy rule that \nrestricts us to a locked-in technology that is where we are \ntoday while both the commercial sector in America, and more \nimportant from my perspective, our peer competitors outside of \nthe United States rush ahead with technological advancements \nthat we have denied ourselves because of fears of technology.\n    That does not suggest that we cannot ignore the possibility \nof misuse. Indeed, as my testimony suggests, I think that \nenhanced oversight and audit are the key ways to go forward in \ndoing that; but categorical rules are, in my judgment, a \nstraight jacket and should be eschewed.\n    With that, I look forward to answering your questions. \nThank you.\n    Senator Akaka. Thank you very much for your statement, Mr. \nRosenzweig.\n    Mr. Swire, you testified forcefully about OMB\'s leadership \nvoid in Federal privacy policy and the need for a Federal Chief \nPrivacy Officer to spearhead the interagency clearance process \nand represent the Administration on international privacy \nmatters.\n    Why, in your view, has OMB not taken on a stronger \nleadership role in privacy and what steps should OMB be taking?\n    Mr. Swire. So, Senator, I would say that one thing I did \nsee when I was in OMB is that the headcount in the Executive \nOffice of the President is closely guarded. There is a very \nstrict limit on how many people can be employed within OMB.\n    And so, when they are making choices about working on the \nFederal budget and doing all of the management tasks that they \nare doing, they are very cautious about adding staff.\n    At the peak of my time there, I had myself, two full-time \npeople, and a detailee, and that was with a lot of work to get \nup to the staff at that level.\n    I think what we see, and this is what happened with Howard \nSchmidt in the cybersecurity czar position is that there needs \nto be a way where OMB and the Executive Office of the President \nwork with the agencies to provide more staffing.\n    That is just a lot of work to set up and I really do think \nthat having a pretty good nudge from Congress will help put \nthat in place; and without it, it just seems like a large \nchallenge that is hard for them to put together \nbureaucratically.\n    Senator Akaka. Thank you.\n    Mr. Calabrese, you testified that the Privacy Act does not \nextend to the Federal Government\'s use of commercial databases. \nSome of these databases may have a high level of inaccuracies. \nEven though their use may affect Americans\' rights, there is no \nnotice about their use and no process for individuals to \ncorrect their records.\n    Will you please elaborate on this problem and how we could \nachieve better transparency of the Federal Government\'s use of \ncommercial databases?\n    Mr. Calabrese. Thank you, Senator Akaka.\n    Well, of course, the first answer is we could adopt your \namendment as part of the cybersecurity bill. It has in it a \nprovision that says that commercial databases will be required \nto comply with the E-Government Act which is, of course, a \nclose companion to the Privacy Act which requires agencies to \ndisclose how they are using databases, where the information \ncomes from, the sources of it, and that is a very important \ntransparency tool.\n    Right now, we really do not have a feel even for how \nagencies are accessing these records, where they are coming \nfrom, what they are relying on. Many of these databases started \nas marketing databases.\n    So, if you were compiling a database to sell magazine \nsubscriptions, 80 percent accuracy or 90 percent accuracy was \ngreat. If you got a few wrong, it was just a few wrong \nsubscriptions. Obviously, that same standard cannot apply when \nagencies are performing vital functions.\n    So, I think we start with the transparency provision. We \nlearn where this information is coming from, what they are \nusing with it, then we can begin to figure out how it should be \nproperly regulated.\n    Senator Akaka. Thank you, Mr. Calabrese.\n    Mr. Rosenzweig, the Supreme Court\'s ruling in FAA v. Cooper \nearlier this year restricted Privacy Act remedies; and by many \nexperts\' accounts, rendered the Act, as I mentioned, in my \nstatement, toothless.\n    Experts including Jim Harper at Cato have urged Congress to \namend the Privacy Act so it is clear that individuals are \ncompensated for proven mental and emotional distress.\n    Do you agree that we should amend the Privacy Act to \nrestore these remedies?\n    Mr. Rosenzweig. Senator, I think that the much superior way \nof ensuring Federal compliance with the Privacy Act is through \nthe mechanisms that we established, the privacy officers in the \nvarious communities, the oversight of Inspectors General of \nthis Committee.\n    Those deal much more effectively, in my judgment, with \nsystematic errors. The oversight you had today of the thrift \nboard is a perfectly good example.\n    To my mind, in general, the private litigation system is a \nless efficient and effective way of creating systematic change. \nThat is not to say that I disagree that most of the privacy \nharm is psychic in nature because most of privacy is about our \nown senses of personal value, shame, whatever it is that you \nare protecting rather than economic harm.\n    But at the same time, I think that enhancing litigation \nover individual Privacy Act violations would actually be a \ndiversion of resources from a much more effective and \nsystematic way of addressing the real privacy failures that do \nhappen in the government that should be addressed through \nprivacy officers, Inspectors General, the PCLOB if it ever gets \nstarted, this Committee, that sort of thing.\n    Senator Akaka. Thank you.\n    After that answer, let me ask Mr. Swire and Mr. Calabrese \nwhether you can reflect on this or what do you think about \nthis? Mr. Swire.\n    Mr. Swire. On the Privacy Act damages question, I would \nsupport putting back in place the way I thought the law was \nbefore. I think that the interpretation by the courts was more \nnarrow than was intended by the Privacy Act. I think emotional \nharms that are proven to a jury, or to a judge are real harms \nhere and we should put that back in the law.\n    Senator Akaka. Thank you.\n    Mr. Calabrese. And I would simply note that I do not think \nthis is a diversion of resources but a supplement of resources. \nWe already have oversight by Federal agencies and I agree that \nis appropriately systematic and necessary; but individuals are \nstill harmed by these disclosures, and the harm goes far beyond \nthe economic arm.\n    As such, it should be recognized. Individuals should be \ncompensated. The Federal agencies and the Federal Government is \nrequiring this information. So, hence, it is also required to \nprotect the people and that information when it is lost or \nmisused.\n    Senator Akaka. Thank you very much. Senator Johnson, your \nquestions.\n    Senator Johnson. Thank you, Mr. Chairman.\n    Let me start with the more philosophical question. Since \n1974, or quite honestly even prior to that, versus 2012 has the \ndefinition or maybe I should state it, has the expectation of \nprivacy changed?\n    I will start with you, Mr. Rosenzweig.\n    Mr. Rosenzweig. I think it changes all the time. I think \nthat we live in a society now in which people go on Jerry \nSpringer and meet their ex-wife\'s new boyfriend and have a \nfight with him on public TV.\n    I think that the expectation changes with catastrophic \nevents. We have a different expectation of what is an \nacceptable privacy intrusion at airports today than we did \nbefore. Many people do not like that but the expectation is \nchanging nonetheless.\n    I think that what we are really talking about in many \ncontexts is kind of not privacy so much as an expectation of \nanonymity or lack of governmental scrutiny without \njustification, and that too seems to be changing.\n    But, by that, I mean that we are now in a time where people \nhave come to understand that so much of their life is out there \non Facebook, on twitter voluntarily or involuntarily because \nthe credit card systems have changed.\n    But, where we are right now is that people expect that the \ngaze of law enforcement, for example, will not turn on them \nwithout a good justification or reason. That is a pretty \ndifferent change from what it used to be which was that we \nexpected that we were totally obscure and that the government \ndid not even know anything about us. Now, we think that it \nknows about us; we just do not want it to pay attention.\n    Senator Johnson. Mr. Calabrese, do you want to add to that \nor challenge it?\n    Mr. Calabrese. Yes, I would actually disagree candidly. I \nthink that while people have different interpretations of \nprivacy, I think the values that underlie privacy are really \nthe bedrock of this country.\n    I mean, they start with a Fourth Amendment. They start, \nessentially, with the right to be left alone. People interpret \nthat in different ways.\n    I think younger people, when I talk to them, believe very \nstrongly in privacy. They interpret it a little differently. \nThey think of it more as information control. I decide who sees \nwhat about me rather than the anonymity that we talked about in \nprevious generations.\n    But, I think, this bedrock principle that I should be free \nfrom government scrutiny certainly and government interference \nin my private life is one that is a fundamental thread in \nAmerican values.\n    Senator Johnson. Mr. Swire.\n    Mr. Swire. I have a right not to go on Jerry Springer and a \nright not to have Federal agencies gather all the data that \nJerry Springer might get out of some of his interviews.\n    The enduring values goes back to the Fourth Amendment \nsaying that there should be no unreasonable searches and \nseizures. What is reasonable changes with the facts.\n    But, I think a book by Alan Westin from around 1970 called \nPrivacy and Freedom goes through the history over time and \nshows that the values that are at stake are very enduring. \nTechnology changes somewhat, the safeguards change somewhat but \nthe link between privacy and freedom is a very long-standing \none.\n    Senator Johnson. Thank you. I think most people recognize \nthe harm of loss of privacy when it comes to theft of either \nassets or certainly identity, certainly the harm caused by \ndisclosure of health circumstances, that kind of stuff, can you \nalso speak on other types of harm caused by loss of privacy and \nexposure of private information? Personal and private \ninformation.\n    Mr. Calabrese, we will start with you.\n    Mr. Calabrese. Yes, no, of course.\n    It is such a wide variety. I think we can begin with the \nharm of surveillance. I fear to learn about particular things, \nvisit particular Web sites because it may muzzle me. I may not \nwant to visit a Web site that talks about radical Islam in \nspite of the fact I am the furthest thing from a radical \nIslamic.\n    I fear that will somehow be connected with me and I will \nsuffer some investigation or harm because of it.\n    Then, more general just dignity reasons. I mean there are \nplenty of things that we do in our life that we would not want \ntaken out of context, whether it is just the songs we listen to \nor the people we are friends with.\n    All of these things are sort of the right to a personal \nlife. That is really the fundamental piece here is that it is \nvery difficult to explore new ideas, to learn about new \nconcepts and to just sort of engage in the thought process that \nis necessary to be a responsible citizen in a democracy without \nthe privacy to make mistakes, to explore ideas that you may \nwant to later discard, all of that really requires privacy. And \nif you do not have it, it is sort of a fundamental harm to your \nright as a citizen.\n    Senator Johnson. Mr. Rosenzweig.\n    Mr. Rosenzweig. I agree that privacy is an enabler of \npersonal development. And so, it strikes me that is the value \nthat we want to protect, but it is just an enabler.\n    What we want to protect is the ability to develop \npersonally, to speak freely as you will. The problem or the \nchallenge that we face right now is we might want to protect \nthe ability to develop personally through privacy protections, \nthey are going away. Right?\n    If you engage in any sort of activity on the web today, it \nis out there. We can limit what the government does with it but \nthere is no way that we can limit anything beyond the pieces of \nthe government that we control, that you control.\n    We can maybe limit commercial sectors here in the United \nStates. We cannot limit what happens in Bermuda. We cannot \nlimit what happens in Mexico.\n    The challenge, I think, right now is to enable that \npersonal development not by having to self-edit because of the \nfear of going to a Muslim Web site but by being much more \nstrict about prohibiting adverse consequences on people for \ngoing to look at radical Islamic Web sites.\n    So, I do not disagree with the end result. My problem is \nthat the way of doing it by deliberately making the government \nor the commercial sector dumb about what people are doing is \nthe wrong way to go about it.\n    The right way to go about it is let us be smart but then \nmake us do smart things with the smart data, not stupid things \nlike challenging people just because they are going to Muslim \nWeb site.\n    Senator Johnson. Mr. Swire, would you like to comment on \nthat?\n    Mr. Swire. A lot of good things have been said. One other \npart of the privacy fair practice is accessing your data and \ncorrecting mistakes.\n    So, if you are on the no-fly list and you should not be or \nyour credit history is wrong, they have the wrong person with \nyour name, having good procedures around that is another part \nof what we consider as privacy protection that I think we \nsurely want to build into our information society.\n    Senator Johnson. Thank you.\n    Thank you, Mr. Chairman.\n    Senator Akaka. Thank you very much, Senator Johnson.\n    Mr. Calabrese, you testified that the exemptions to the \nPrivacy Act for law enforcement and intelligence activities are \nproblematic.\n    Given the many recent privacy concerns about the treatment \nof personal information in the national and homeland security \ncontext, I agree that this issue merits further examination.\n    How can we ensure that these exemptions are not abused \nwithout harming important law enforcement and intelligence \nactivities?\n    Mr. Calabrese. Thank you, Senator,\n    Well, I think in terms of tightening controls, I think we \ncan begin by acknowledging that the Privacy Act actually has \npretty good disclosure limitations that says, you should not \ndisclose information unless you have a good reason to do so.\n    What we need to do is tighten some of the exceptions like \nroutine use that allows essentially anything to be labeled \nroutine and hence disclosed.\n    And, I think that goes to the heart of how we get both a \nstrong national security and also good privacy is we need to \nfocus our investigations on people we suspect of wrongdoing, \nwho are criminals, who are terrorists.\n    When we have a basis for that investigation, we pursue it. \nThere are plenty of mechanisms for doing so. That does not mean \ncompiling a database of all the innocent people in advance in \ncase they may some day be needed for this.\n    When we have an investigation we pursue it. We do not put \nevery American in what amounts to a lineup on the assumption \nthat someday that lineup may prove valuable.\n    One of our enduring rights in this country is that we are \ninnocent until proven guilty. We need to hold onto that bedrock \nprinciple. Thank you.\n    Senator Akaka. Thank you.\n    Mr. Rosenzweig and Mr. Calabrese, I agree with Mr. Swire \nthat approving the nominees for the Privacy and Civil Liberties \nOversight Board is a critical priority, particularly as the \nSenate considers cybersecurity legislation.\n    As you know, the Board is supposed to be a key check on the \nnew information sharing authorities in the bill. I would like \nto hear your views on this issue.\n    Let me call on Mr. Swire first.\n    Mr. Swire. I think I spoke to it, sir. I am not sure I have \nmore to add to the idea that we should get these folks \nconfirmed.\n    Senator Akaka. Thank you. Mr. Rosenzweig.\n    Mr. Rosenzweig. I do not know all of the nominees. The \nthree that I know are quite able. I would have hoped that the \nSenate would have acted with President Bush in 2007 to fill the \nBoard and I would have hoped that President Obama, if he had \nacted with more alacrity and presented these nominees well \nbefore the near end of this session, we would have had a Board \nin place.\n    I agree completely that at some point a Board needs to be \nput in place because, as I said, I think that the oversight and \naudit functions are critical to my vision of the best ways to \nenhance privacy. I just regret that the political dimension of \nthis has brought us to the point where we are, what, 98 days \nout from an election and still trying to find a Board.\n    Senator Akaka. Thank you. Mr. Calabrese.\n    Mr. Calabrese. I agree obviously. We want to confirm these \nnominees tomorrow, if possible.\n    I want to just caution, though, it is not a panacea. I mean \nPCLOB is relatively small, even if it was fully staffed, it is \nsomething like 10 full-time staff under its current budget \nallotment. A part-time Board with a full-time chairman.\n    The agencies and the bureaucracies that it is supposed to \noversee are quite literally massive. They are the size of small \ntowns. So, there is no way that this Board is going to be able \nto provide any level of complete oversight.\n    It is a piece. It is necessary to fill it but no one should \nbelieve that simply filling the PCLOB is going to answer all \nour oversight concerns.\n    Senator Akaka. Thank you.\n    Mr. Swire, if we create a Federal Chief Privacy Office, \nshould that individual also review the information sharing \nprovisions of the cybersecurity bill?\n    Mr. Swire. So, how to work the CPO with the PCLOB is \nsomething that would take some work. I suggest in my testimony \nthat we have a long-held decision between unclassified commuter \nsystems in the Federal Government and the classified systems.\n    The Privacy and Civil Liberties Oversight Board is \nspecifically focused on classified and anti-terrorism \nactivities. It makes sense I think for them to take the lead \nthere and for the Federal Chief Privacy Officer to take the \nlead on unclassified systems. That is my best guess at how to \nproceed.\n    Senator Akaka. Thank you.\n    This is my final question for the entire panel. What key \nprivacy protection issues that we have not yet discussed also \nwarrant the attention of Congress? Mr. Calabrese.\n    Mr. Calabrese. There are so many. I would say that it is \nreally crucial to update our electronic communications privacy \nlaws (ECPA). For example, ECPA was passed in 1986. It governs \nlaw enforcement access to electronic communications.\n    It is woefully out of date. 1986 was an awful long time \nago. Similarly location privacy, as the court weighed in US v. \nJones this term, is a huge issue. Our cell phones have become \nportable tracking devices, and reining in that tracking so it \nonly happens appropriately I think is a very important job.\n    I could go on and on but I will stop at those two.\n    Senator Akaka. Thank you. Mr. Rosenzweig.\n    Mr. Rosenzweig. Those two are both worth thinking about. I \nguess I would add to that a consideration of whether or not the \nintelligence community\'s approach to privacy is sufficiently \nunified. I think there is divergency in views within that \ncommunity.\n    And, wow, I could probably think of a half dozen more but I \nwill just stop with that.\n    Senator Akaka. Mr. Swire.\n    Mr. Swire. So, just two observations. One is that the Jones \ncase about tracking the location I think is a very important \nmoment for the Supreme Court but Congress can followup there.\n    I did a project with some other groups at U.S. v. Jones.com \nwhich surveys ways to sort of get out the next generation of \nsurveillance and civil liberties here. I think I would focus on \nthat, how to do the electronic searches, how to update ECPA, \nand how to do some of the things discussed at US v. Jones.com.\n    Senator Akaka. Thank you. Let me ask Senator Johnson for \nfurther questions.\n    Senator Johnson. Thank you, Mr. Chairman.\n    Let me just address the very real conundrum facing \ngovernment. As we watch every terrorist act, the aftermath of \nthat, people start doing a postmortem on that, and they go, \nwell, we had this information, why did we not put two and two \ntogether and prevent the attack.\n    A very real concern, and it is just that natural tension \nbetween privacy and the security that the American people \nexpect. I guess I would like all three of you to, first of all, \naddress that very real concern to me. How do we navigate that \nvery fine line?\n    I guess we will start with Mr. Swire.\n    Mr. Swire. Thank you, Senator.\n    So, I wrote a law review article around 2006 called Privacy \nand Information Sharing in the War Against Terrorism. It is \nonline and law professors always love it if anybody ever reads \na law review article.\n    But I think that is a checklist of seven or eight questions \nthat I think should be asked as you are building a new \ninformation system. And, it actually is similar to what Mr. \nRosenzweig is saying about audit and accountability and setting \nit up so someone is looking at it carefully when you built it \nat the front and then auditing it once you have it in place.\n    And, I think if you do that, then you do use information \nintensively but you have some safeguards in place.\n    Senator Johnson. Thank you. Mr. Calabrese.\n    Mr. Calabrese. Well, I think one of the biggest problems \nwith information sharing today is that there is so much \ninformation that it overwhelms the ability of any analyst to \nessentially process it.\n    I mean, you cannot connect the dots when it is millions of \ndots being given to you every day. I mean, Secretary Leiter, \nwhen he was the Director of the NCTC, talked about an amazing \namount of leads and tips that they get every day.\n    And so, I think that we need to try to weed out the \ninnocent person chaff and focus more on actual leads, actual \npeople who, when Abdulmutallab\'s father came in to the Embassy \nand said, please investigate my son, it certainly seems \npossible to me that lead became lost because there was so much \ninformation pouring in that a good lead was lost amongst all \nthe chaff.\n    I think we need to focus on narrowing our information \nsharing to the right information, and that is a difficult task \nbut I think one that will bear the most fruit.\n    Senator Johnson. Mr. Rosenzweig.\n    Mr. Rosenzweig. I actually have a different perspective on \nthat which is I agree that we are drowning in a flood of data, \nbut to a large degree our capacity to analyze it has been \nhamstrung by our unwillingness to apply data analytics.\n    Abdulmutallab was actually a good example because the \nfather coming in was preceded apparently by a visa application \nthat would have been in the field of innocent data, \npresumptively innocent data that was collected about all of \nthese applicants.\n    You cannot know ex-ante which data fields are going to be \nthe ones that are relevant to an ongoing investigation. Up \nuntil just a couple of years ago, we actually did not have a \ncoordinated Google-like search functionality within the \nintelligence community, not because we could not implement \nthat, though it does take some money and coordination, but in \npart because we were concerned about the linkages between \nvarious databases as eroding privacy concerns.\n    When you have those concerns at the front end, they \nsometimes create artificial limitations. I agree completely \nthat the right answer is to try to use the analytics to narrow \ndown leads into the people that we want to devote investigative \nresources to. That is precisely what all of these systems are \nintended to do.\n    On the other hand, you cannot actually make them as \neffective as you might by limiting the intake on the front-end.\n    So, my perspective is that we are always going to be doing \ntoo much until the day after an event when we will not have \ndone enough, and the optimal answer is to try to get the right \nstructures in place up-front and at least be able to defend \nyour choices going forward.\n    Senator Johnson. Mr. Calabrese, I will definitely side with \npeople who are highly concerned about civil liberties and \ngovernment intrusion into our lives.\n    Can you, describe specific examples of purposeful misuse by \nthe government of some of the information, personal privacy \ninformation as opposed to hackers getting in and information \nbeing not purposefully but illegally disclosed?\n    Mr. Calabrese. Yes. Let me address your question first, \nSenator. I think we saw with the New York Police Departments \n(NYPDs) investigation of Muslim communities where they were, \nthey began to surveil entire communities, do community mapping \nof Muslims, not because they had any particular belief that \nthere was a particular person who they need to investigate but \njust simply to monitor the entire community.\n    Similarly we have seen reports, and the ACLU has done FOIAs \non this, where FBI agents under the guise of going and doing \ncommunity outreach and just getting to know the Muslim \ncommunity, something that I think everybody agrees is vital in \nterms of building bridges and connections so that they will \nfeel free to come forward if there is a criminal issue, were \nturned into intelligence reports where reports were compiled on \nthose innocent people who were trying to help the government do \ncommunity outreach.\n    So, when we turn people who are trying to help us into \nsuspects, it builds exactly kind of distrust that we are trying \nto prevent and I would argue hinders investigations going \nforward.\n    So, I think that is the kind of situation that we want to \nprevent and that is why we want to preserve some of the lines \nthat we have been talking about.\n    Senator Johnson. That is somewhat kind of outside what we \nare talking about here, at least what I am talking about in \nterms of privacy within the cyber community.\n    Mr. Rosenzweig, you mentioned Google. I mean, Google has \nall the information. If you have a credit card, you have \nprovided voluntarily all kinds of personal information. And, I \nguess, I just want somebody to speak to the disconnect between \nwhat we voluntarily give up to private companies that have a \ngreat deal of latitude, almost primoral latitude for use and \nmisuse of that information in the Federal Government.\n    Can you just kind of speak to that disconnect?\n    Mr. Rosenzweig. Well, there is much to be said about \nGoogle\'s privacy policies which many people think are not \nstrong enough in the private sector. I think the best way to \ncharacterize it would be this.\n    Just this past week in Las Vegas, they had the Black Hat \nconvention DEFCON which is a convention of hackers. And, one of \nthe leaders of the audience asked this assembled group of true \ncyber experts who they feared more, Google\'s privacy invasions \nor the government\'s, and Google won hands down, because the \npeople with the knowledge about this know that Google actually \nassembles, processes, and uses personal data much more \nefficiently, much more effectively than the Federal Government \ndoes.\n    So, if you are one who sees in that a threat, as the people \nat DEFCON did, they are more afraid of Google than they are of \nthe government by I think it was like six to one I saw in the \nnewspapers. I obviously was not there but that kind of speaks \nto it.\n    Senator Johnson. Thank you. I have run out of time again. I \nreally do want to thank the witnesses for your thoughtful \ntestimony and taking the time here. This has been a very \ninteresting discussion and, Mr. Chairman, for holding this \nhearing. This is a good hearing.\n    Senator Akaka. Go ahead.\n    Senator Johnson. No. I think I am good. Thank you.\n    Senator Akaka. Well, thank you very much, the second panel. \nI would like to thank each of you for your statement and your \nresponses. This has been a useful and informative discussion \nthat will help us chart the next steps to strengthen our \nFederal privacy and data security framework. I will continue \nfocusing on these important issues during the rest of my time \nin the Senate.\n    This hearing also will provide a blueprint for the next \nCongress on additional areas that must be addressed.\n    The hearing record will be open for 2 weeks for additional \nstatements or questions from members of this Subcommittee.\n    Again, I want to thank you for being with us.\n    The hearing is adjourned.\n    [Whereupon, at 11:58 a.m., the Subcommittee adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] T6066.001\n\n[GRAPHIC] [TIFF OMITTED] T6066.002\n\n[GRAPHIC] [TIFF OMITTED] T6066.003\n\n[GRAPHIC] [TIFF OMITTED] T6066.004\n\n[GRAPHIC] [TIFF OMITTED] T6066.005\n\n[GRAPHIC] [TIFF OMITTED] T6066.006\n\n[GRAPHIC] [TIFF OMITTED] T6066.007\n\n[GRAPHIC] [TIFF OMITTED] T6066.008\n\n[GRAPHIC] [TIFF OMITTED] T6066.009\n\n[GRAPHIC] [TIFF OMITTED] T6066.010\n\n[GRAPHIC] [TIFF OMITTED] T6066.011\n\n[GRAPHIC] [TIFF OMITTED] T6066.012\n\n[GRAPHIC] [TIFF OMITTED] T6066.013\n\n[GRAPHIC] [TIFF OMITTED] T6066.014\n\n[GRAPHIC] [TIFF OMITTED] T6066.015\n\n[GRAPHIC] [TIFF OMITTED] T6066.016\n\n[GRAPHIC] [TIFF OMITTED] T6066.017\n\n[GRAPHIC] [TIFF OMITTED] T6066.018\n\n[GRAPHIC] [TIFF OMITTED] T6066.019\n\n[GRAPHIC] [TIFF OMITTED] T6066.020\n\n[GRAPHIC] [TIFF OMITTED] T6066.021\n\n[GRAPHIC] [TIFF OMITTED] T6066.022\n\n[GRAPHIC] [TIFF OMITTED] T6066.023\n\n[GRAPHIC] [TIFF OMITTED] T6066.024\n\n[GRAPHIC] [TIFF OMITTED] T6066.025\n\n[GRAPHIC] [TIFF OMITTED] T6066.026\n\n[GRAPHIC] [TIFF OMITTED] T6066.027\n\n[GRAPHIC] [TIFF OMITTED] T6066.028\n\n[GRAPHIC] [TIFF OMITTED] T6066.029\n\n[GRAPHIC] [TIFF OMITTED] T6066.030\n\n[GRAPHIC] [TIFF OMITTED] T6066.031\n\n[GRAPHIC] [TIFF OMITTED] T6066.032\n\n[GRAPHIC] [TIFF OMITTED] T6066.033\n\n[GRAPHIC] [TIFF OMITTED] T6066.034\n\n[GRAPHIC] [TIFF OMITTED] T6066.035\n\n[GRAPHIC] [TIFF OMITTED] T6066.036\n\n[GRAPHIC] [TIFF OMITTED] T6066.037\n\n[GRAPHIC] [TIFF OMITTED] T6066.038\n\n[GRAPHIC] [TIFF OMITTED] T6066.039\n\n[GRAPHIC] [TIFF OMITTED] T6066.040\n\n[GRAPHIC] [TIFF OMITTED] T6066.041\n\n[GRAPHIC] [TIFF OMITTED] T6066.042\n\n[GRAPHIC] [TIFF OMITTED] T6066.043\n\n[GRAPHIC] [TIFF OMITTED] T6066.044\n\n[GRAPHIC] [TIFF OMITTED] T6066.045\n\n[GRAPHIC] [TIFF OMITTED] T6066.046\n\n[GRAPHIC] [TIFF OMITTED] T6066.047\n\n[GRAPHIC] [TIFF OMITTED] T6066.048\n\n[GRAPHIC] [TIFF OMITTED] T6066.049\n\n[GRAPHIC] [TIFF OMITTED] T6066.050\n\n[GRAPHIC] [TIFF OMITTED] T6066.051\n\n[GRAPHIC] [TIFF OMITTED] T6066.052\n\n[GRAPHIC] [TIFF OMITTED] T6066.053\n\n[GRAPHIC] [TIFF OMITTED] T6066.054\n\n[GRAPHIC] [TIFF OMITTED] T6066.055\n\n[GRAPHIC] [TIFF OMITTED] T6066.056\n\n[GRAPHIC] [TIFF OMITTED] T6066.057\n\n[GRAPHIC] [TIFF OMITTED] T6066.058\n\n[GRAPHIC] [TIFF OMITTED] T6066.059\n\n[GRAPHIC] [TIFF OMITTED] T6066.060\n\n[GRAPHIC] [TIFF OMITTED] T6066.061\n\n[GRAPHIC] [TIFF OMITTED] T6066.062\n\n[GRAPHIC] [TIFF OMITTED] T6066.063\n\n[GRAPHIC] [TIFF OMITTED] T6066.064\n\n[GRAPHIC] [TIFF OMITTED] T6066.065\n\n[GRAPHIC] [TIFF OMITTED] T6066.066\n\n[GRAPHIC] [TIFF OMITTED] T6066.067\n\n[GRAPHIC] [TIFF OMITTED] T6066.068\n\n[GRAPHIC] [TIFF OMITTED] T6066.069\n\n[GRAPHIC] [TIFF OMITTED] T6066.070\n\n[GRAPHIC] [TIFF OMITTED] T6066.071\n\n[GRAPHIC] [TIFF OMITTED] T6066.072\n\n[GRAPHIC] [TIFF OMITTED] T6066.073\n\n[GRAPHIC] [TIFF OMITTED] T6066.074\n\n[GRAPHIC] [TIFF OMITTED] T6066.075\n\n[GRAPHIC] [TIFF OMITTED] T6066.076\n\n[GRAPHIC] [TIFF OMITTED] T6066.077\n\n[GRAPHIC] [TIFF OMITTED] T6066.078\n\n[GRAPHIC] [TIFF OMITTED] T6066.079\n\n[GRAPHIC] [TIFF OMITTED] T6066.080\n\n[GRAPHIC] [TIFF OMITTED] T6066.081\n\n[GRAPHIC] [TIFF OMITTED] T6066.082\n\n[GRAPHIC] [TIFF OMITTED] T6066.083\n\n[GRAPHIC] [TIFF OMITTED] T6066.084\n\n[GRAPHIC] [TIFF OMITTED] T6066.085\n\n[GRAPHIC] [TIFF OMITTED] T6066.086\n\n[GRAPHIC] [TIFF OMITTED] T6066.087\n\n[GRAPHIC] [TIFF OMITTED] T6066.088\n\n[GRAPHIC] [TIFF OMITTED] T6066.089\n\n[GRAPHIC] [TIFF OMITTED] T6066.090\n\n[GRAPHIC] [TIFF OMITTED] T6066.091\n\n[GRAPHIC] [TIFF OMITTED] T6066.092\n\n[GRAPHIC] [TIFF OMITTED] T6066.093\n\n[GRAPHIC] [TIFF OMITTED] T6066.094\n\n[GRAPHIC] [TIFF OMITTED] T6066.095\n\n[GRAPHIC] [TIFF OMITTED] T6066.096\n\n[GRAPHIC] [TIFF OMITTED] T6066.097\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'