[Congressional Record (Bound Edition), Volume 153 (2007), Part 8]
[Extensions of Remarks]
[Pages 11348-11349]
[From the U.S. Government Publishing Office, www.gpo.gov]




               FEDERAL AGENCY DATA BREACH PROTECTION ACT

                                 ______
                                 

                             HON. TOM DAVIS

                              of virginia

                    in the house of representatives

                         Thursday, May 3, 2007

  Mr. TOM DAVIS of Virginia. Madam Speaker, secure information is the 
lifeblood of effective government policy and management, yet federal 
agencies continue to hemorrhage vital data. Personal information 
continues to be placed at risk, and we must ask: What is being done to 
protect the sensitive digital identities of millions of Americans, and 
how can we limit the damage when personal data does go astray?
  As we all now know, a Department of Veterans Affairs employee 
reported the theft of computer equipment from his home--equipment which 
stored more than 26 million records containing personal information. VA 
leadership delayed acting on the report for almost two weeks, while 
millions were at risk of serious harm from identity theft and the 
agency struggled to determine the exact extent of the breach.
  But this is only one in a long string of personal information 
breaches in the public and private sectors, including financial 
institutions, data brokerage companies, and academic institutions. Last 
year, we found the Census Bureau could not account for over one 
thousand laptops containing sensitive information issued to employees. 
And just recently, we learned the Department of Agriculture left 
sensitive data on a website, putting the personal information of 
150,000 individuals as risk.
  These breaches continue to illustrate how far we have to go to reach 
the goal of strong, uniform, government-wide information security 
policies and procedures.
  On the Government Reform Committee, I focused on government-wide 
information management and security for a long time. The Privacy Act 
and the E-Government Act of 2002 outline the parameters for the 
protection of personal information. These recent incidents highlight 
the importance of establishing--and following--security standards for 
safeguarding personal information. They also highlight the need for 
proactive security breach notification requirements for organizations--
including Federal agencies--dealing with sensitive personal 
information.

[[Page 11349]]

  Congress continues working on requirements for the private sector--
but Federal agencies present unique requirements and challenges. These 
incidents demonstrate the importance of strengthening the laws and 
rules protecting personal information held by Federal agencies--and we 
need to do this quickly.
  In order to get a more complete picture of the problem before 
pursuing legislation, we sent a request to all cabinet agencies seeking 
information about data breaches involving the loss of sensitive 
personal information.
  The results were troubling. We learned there have been a wide range 
of incidents involving data loss or theft, privacy breaches, and 
security incidents. In almost all of these cases, Congress and the 
public would not have learned of each event unless we had requested the 
information.
  My bill requires timely notice be provided to individuals whose 
sensitive personal information could be compromised by a breach of data 
security at a Federal agency. Despite the volume of sensitive 
information held by agencies, there currently is no requirement people 
be notified if their information is compromised. Under this 
legislation, the executive branch must establish practices, procedures 
and standards for agencies to follow if sensitive personal information 
is lost or stolen and there is a reasonable risk of harm to an 
individual. And we provide a clear definition of the type of sensitive 
information we're trying to protect.
  We also give the agency Chief Information Officers the authority, 
when appropriate and authorized, to ensure agency personnel comply with 
the information security laws already on the books.
  Finally, we ensure costly equipment containing potentially sensitive 
information is accounted for and secure. Half of the lost Census Bureau 
computers simply were not returned by departing or terminated 
employees. The agency did not track computer equipment, nor were 
employees held accountable for failing to return it. This is taxpayer 
funded equipment, containing sensitive information, and we must know 
what we have and who has it--at all times.
  Each year, I release Federal agency information security scorecards. 
Despite some improvement, scores for many departments remain 
unacceptably low. The Federal Government overall received a C minus, a 
slight improvement over prior years.
  The Federal Government has sensitive personal information on every 
citizen--health records, tax returns, military records. We need to 
ensure the public knows when its sensitive personal information has 
been lost or compromised in some way.
  The language in this bill is identical to H.R. 6163, which I 
introduced last Congress. Last year, with the assistance of then 
Chairman Steve Buyer, I incorporated this language into the Veterans 
Identity and Credit Security Act (H.R. 5835), which passed the House on 
September 26. That bill, including my language, had strong bipartisan 
support, with 67 cosponsors from both sides of the aisle, including the 
new chairman of the Oversight and Government Reform Committee.
  This bill is a critical first step toward limiting the loss of our 
sensitive personal information. I hope we can again move this important 
legislation through the House.

                          ____________________