Legislation would mandate data protection plans

A new bill introduced by Rep. William Lacy Clay (D-Miss.) earlier this week would require agencies to set penalties for vendors on contracts worth $500,000 or more if the company did not implement a comprehensive personal data privacy and security program that includes administrative, technical and physical safeguards.

The provision in H.R. 4791 also would call for agencies to take reasonable steps to select and retain contractors capable of maintaining appropriate safeguards of personal information.

Overall, the bill would codify many of the steps the Office of Management and Budget took in a series of memos after the flood of data breaches in fiscal 2006.

"I think I understand the grasp of what they are trying to get at with data breaches, contractors are not held accountable," said Kevin Richards, federal government relations manager with Symantec Corp. "The Hill trying to layer additional requirements, which is not a bad thing, but it has to be done in the right way."

Clay, chairman of the House Oversight and Government Reform Committee's Information Policy, Census and the National Archives Subcommittee, would require agencies to develop policies and plans to identify and protect personal information and to develop requirements for reporting data breaches.

The bill is another in a series of legislative efforts to improve how agencies and the private sector prevent and respond to data losses. Clay introduced the bill Dec. 18, and it was referred to the committee.

House and Senate members in the past year have tried unsuccessfully to get data breach legislation into law.

For example, Rep. Tom Davis (R-Va.), ranking member of the committee, in May introduced the Federal Agency Data Breach Protection Act, and Sen. Norm Coleman (R-Minn.) followed with a companion version in June. Both bills died in committee.

Meanwhile, Sen. Dianne Feinstein (D-Calif.) introduced and the Judiciary Committee passed the Notification of Risk to Personal Data Act, and the committee also approved the Personal Data Privacy and Security Act of 2007, sponsored by committee Chairman Patrick Leahy (D-Vt.) and Sen. Arlen Specter (R-Pa.), ranking member. The full Senate never brought either bill up for a vote.

Clay likely will have to reintroduce his legislation after the December recess, when the 111th Congress begins next month. But Clay already has the support of Rep. Henry Waxman (D-Calif.), committee chairman, and Edolphus Towns (D-N.Y.), chairman of the committee's Government Management, Organization and Procurement Subcommittee, which bodes well for the future.

What may be more important about Clay's bill is that it brings new security requirements for peer-to-peer networks and for contractors.

Clay now wants the Government Accountability Office and agency inspectors general to audit agency networks in addition to systems used, operated or supported by contractors or subcontractors at any tier.

Richards said the new audit requirements may be a litmus test for contractors in terms of how far they go to protect federal data.

"Lawmakers are drawing a bright line between the federal agency and the outside contractors," Richards added. "But we will need some clarification about how it will work, and what the responsibilities would be for vendors."

Agencies also would be required to develop a plan to protect against the risks of peer-to-peer networks, and it details technology and policy procedures they should take. The plan would have to be implemented within six month of the act becoming law.

GAO also would have to review agency plans within 18 months of the act becoming law.

Richards said vendors would need more details on what lawmakers mean by peer-to-peer networks. He said Symantec, like a lot of other vendors, up date their software through a live update connection and that shouldn't be considered a peer-to-peer network.

"I don't think that is the committee's intent," he said. "I think it is not the technology, but the intent behind the technology."

Jason Miller writes for Government Computer News and Federal Computer Week, 1105 Government Information Group publications.