Date: June 9, 2008
House Passes H.R. 4791, the Federal Agency Data Protection Act
On June 3, 2008, the House passed H.R. 4791, the Federal Agency Data Protection Act, by voice vote. The bill would amend the Federal Information Security Management Act (FISMA), part of the E-Government Act of 2002. In general, the bill would enhance the protection of personally identifiable information collected and maintained by the Federal government. The bill has been referred to the Senate for its consideration.
The bill contains the following provisions of interest to SSA:
• Would define "personally identifiable information" (PII) as "any information about the individual maintained by an agency, including information: 1) about the individual's education, finances, medical, criminal, or employment history; 2) that can be used to distinguish or trace the individual's identity, including name, Social Security number, date and place of birth, mother's maiden name, or biometric records; or, 3) that is linked or linkable to the individual."
• Would extend the Office of Management and Budget's (OMB) oversight of agency information security policies and practices by requiring the Director to:
• Review and approve or disapprove, agency information security plans and schedules for conducting testing and evaluation of the effectiveness of information security policies, procedures, and practices at least annually.
• Establish minimum requirements regarding the protection of PII maintained in or transmitted by mobile devices, including requirements for technologies that render information unusable to unauthorized persons. Mobile devices are defined in the bill to include laptop computers, communications devices, hand-held computing devices, and storage devices such as portable hard drives, CD-ROMS, DVDs, etc.
• Require agencies to comply with minimally acceptable system configuration requirements consistent with best practices and checklists developed by the National Institute of Standards and Technology (NIST).
• Ensure that agency contracts for information security products or services include requirements for contractors that meet minimally acceptable configuration requirements consistent with NIST guidance.
• Establish contract requirements to ensure FISMA compliance with regard to information security provided by a contractor of an agency or an organization on behalf of an agency.
• Establish policies, procedures, and standards for agencies to follow in the event of a data security breach involving the disclosure of PII to include: a breach notice requirement; guidance on determining how timely notice is to be provided; and a requirement of timely reporting of breaches to OMB and the Federal information security incident center.
• Include, in its annual report to Congress on agency FISMA compliance, a summary of the breaches of information security reported by agencies to OMB and the Federal information security incident center.
• Would direct the head of each Federal agency to:
• Delegate to the agency Chief Information Officer (CIO), to the extent determined necessary and explicitly authorized by the agency head, authority to enforce the agency requirements under FISMA.
• Require the CIO to develop and maintain an inventory of all personal computers, laptops, or any other hardware containing PII.
• Develop, document and implement an agency-wide information security program that ensures compliance with minimally acceptable system configuration requirements as required by OMB. The program would include periodic testing and evaluation of information policies, procedures and practices— no less than annually and as approved by OMB— of system configuration requirements and of system configuration requirements operated by an agency contractor or organization on behalf of an agency. (Contractor testing would be satisfied by independent testing, evaluation or audit of such systems.)
• Establish plans and procedures for: ensuring the adequacy of information security protections for systems maintaining or transmitting PII; notifying individuals whose PII may have been compromised or accessed following a breach of information security; and reporting of information security breaches involving PII to OMB and the Federal information security incident center timely.
• Develop and implement plans that include protection of data from risks posed by peer-to-peer file sharing no later than six months after enactment. The Government Accountability Office (GAO) would review agency plans and submit a report to Congress on its results not later than 18 months after enactment.
• Would require annual independent audits of agency security procedures and systems to operate under generally accepted government auditing standards.
• Would require agencies conduct privacy impact assessments (PIA) (section 208 of the E-Government Act of 2002) using the statutory definition of PII.
• Would amend the authority and functions of agency Chief Human Capital Officers by requiring that they prescribe policies and procedures for exit interviews of employees that include a full accounting of all Federal personal property that was assigned to the employee during the course of employment.
The provisions of the bill would be implemented no later than 90 days after the date of enactment, except as otherwise specifically provided.