Date: October 5, 2006
House Passes H.R. 5835, the
Veterans Identity and Credit Security Act of 2006
On September 26, 2006 by a voice vote, the House passed H.R. 5835, the Veterans Identity and Credit Security Act of 2006. The bill was sent to the Senate where it awaits action. The House-passed bill contains the following provisions of interest:
Section 2 - Federal Agency Data Breach Notification Requirements
Would amend the Federal Information and Security Management Act (FISMA) of 2002 to:
Require the Director of the Office of Management and Budget to establish policies, procedures, and standards for agencies to follow in data breaches, including a requirement for timely notice to be provided to individuals whose sensitive personal information could be compromised, guidance on determining how timely notice is to be provided, and guidance as to whether additional special actions may be necessary;
Require each agency head to delegate to the agency Chief Information Officer (CIO) the authority to ensure and enforce compliance with FISMA; require agency CIO’s to develop and maintain an inventory of all personal computers, laptops, or any other hardware containing sensitive personal information;
Require that agencies include, in their agency-wide information security programs, procedures for notifying individuals whose information is compromised in data breaches;
Require agency Chief Human Capital Officers to prescribe policies and procedures for exit interviews of all employees, including a full accounting of all Federal personal property that was assigned to the employment during the course of employment; and,
Provide that the definition of ‘sensitive personal information’ would mean any information about an individual that is maintained by an agency, including, his education, financial transactions, medical history, and criminal or employment history; information that can be used to distinguish or trace the individual’s identity, including his name, Social Security number, date or place of birth, mother’s maiden name, or biometic records; or any other personal information that is linked or linkable to the individual.
These provisions would be effective upon enactment.