[Congressional Record Volume 152, Number 75 (Tuesday, June 13, 2006)]
[Senate]
[Page S5810]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. AKAKA:
  S. 3506. A bill to prohibit the unauthorized removal or use of 
personal information contained in a database owned, operated, or 
maintained by the Federal government; to the Committee on the 
Judiciary.
  Mr. AKAKA. Mr. President, I am introducing the Data Theft Prevention 
Act of 2006 in response to concerns that arose following the recent 
theft of computer equipment from the home of a Department of Veterans 
Affairs employee in early May. I would like to thank my friends Senator 
Schumer, Senator Murray, and Senator Clinton for being original 
cosponsors of this legislation.
  The stolen equipment contained personal information on as many as 
26.5 million veterans, Active Duty, National Guard and Reserve 
personnel. These files had been downloaded from VA databases over a 
period of 3 years by the employee without any authorization, then taken 
out of VA and placed on personal computer equipment at the employee's 
home.
  I am sure my colleagues will be as alarmed as I was when I tell them 
that this unauthorized removal of the personal information from the 
Department of Veterans Affairs was not an illegal act. In fact, I was 
told by VA's inspector general that the employee's only misdeed was of 
a recently established VA Security Guideline, which only carries the 
weight of suggested employee behavior. Despite VA's efforts to provide 
cyber security for the myriad of databases the Department controls, at 
the time of the theft there was no policy or law in place to prevent or 
deter an unauthorized act.
  The legislation I am introducing today would establish Federal 
penalties for anyone, whether a government employee or government 
contractor, who knowingly and without authorization views, uses, 
downloads, or removes any means of identification or individually 
identifiable health information that is in a Federal database. Although 
the incident which triggered my present concerns occurred in VA, this 
legislation would apply to all Federal departments and agencies. The 
legislation would also penalize those who would use any such personal 
information for criminal purposes.
  This legislation is intended to compliment existing Federal personal 
information security policies and to emphasize the need for all Federal 
departments and agencies to review existing policies and clearly lay 
out who is and isn't authorized to use, view, or download personal 
information.
  This legislation would send the clear message that anyone who 
knowingly and without authorization removes personal or health 
information from a Federal database does so at their own risk.
  VA Secretary Nicholson testified last week before the House 
Government Reform Committee that he thought that there should be 
consideration of ``putting some kind of teeth in an enforcement 
mechanism for the compromising and careless and negligent handling of 
personal information.'' This measure would do just that.
  If enacted, violation of the provisions of this law could result in a 
fine of up to $100,000, imprisonment for 1 year, or both. These 
penalties are similar to those which currently apply to Internal 
Revenue Service employees who are responsible for breaches of tax 
information.
  Given the potential impact to our veterans, Active Duty, National 
Guard, and Reserve personnel through identity theft and the incredible 
disruption and costs incurred by the government from the theft of the 
VA data, it is vital that we take steps to deter any future incidents 
and hold accountable those who are responsible.
  I urge our colleagues to support this important legislation and to 
work with me for its prompt enactment. We must do all we can to prevent 
any further compromise of personal data in the hands of the government.
  Mr. President, I ask unanimous consent that the text of this 
legislation be published in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 3506

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Data Theft Prevention Act of 
     2006''.

     SEC. 2. FEDERAL DATABASES.

       (a) In General.--Chapter 101 of title 18, United States 
     Code, is amended by adding at the end the following:

     ``Sec. 2077. Means of identification and individually 
       identifiable health information in Federal databases

       ``(a) Definitions.--In this section:
       ``(1) Federal database.--The term `Federal database' means 
     any electronic database owned, operated, or maintained by or 
     for the Federal Government.
       ``(2) Individually identifiable health information.--The 
     term `individually identifiable health information' has the 
     meaning given the term in the regulations issued under 
     section 264(c) of the Health Insurance Portability and 
     Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
       ``(3) Means of identification.--The term `means of 
     identification' has the meaning given the term in section 
     1028 of this title.
       ``(b) Unauthorized Use.--It shall be unlawful for any 
     person knowingly and without authorization--
       ``(1) to view, use, download, or remove any means of 
     identification or individually identifiable health 
     information that is in a Federal database; or
       ``(2) to transfer such means of identification or 
     individually identifiable health information to, or store 
     such means of identification or individually identifiable 
     health information in, any computer, network, database, or 
     other format used to store information that is not a Federal 
     database.
       ``(c) Use for Criminal Purposes.--It shall be unlawful for 
     any person to use a means of identification or individually 
     identifiable health information obtained directly or 
     indirectly from a Federal database in furtherance of a 
     violation of any Federal or State criminal law.
       ``(d) Penalty.--Any person who violates subsection (b) or 
     (c) shall be fined not more than $100,000, imprisoned not 
     more than 1 year, or both.''.
       (b) Chapter Analysis.--The table of sections for chapter 
     101 of title 18, United States Code, is amended by adding 
     after the item relating to section 2076 the following:

``2077.  Means of identification and individually identifiable health 
              information in Federal databases.''.




                          ____________________