President Barack Obama is calling on Congress to mandate that companies whose customer data is breached inform affected individuals within 30 days. But why don’t agencies that are hacked have to notify citizens when their data is compromised?
The silence on the government's responsibility to protect its own data became awkward, as pro-ISIS hackers allegedly leaked personal information on U.S. military members around the same time Obama was speaking.
There currently is no U.S. requirement for notifying breach victims within a certain time period. A hodgepodge of state regulations give companies varying guidance on contacting victims. Less than 30 percent of federal agencies recently surveyed notified affected individuals of high-risk breaches, the Government Accountability Office reported last year.
On Monday, in response to a raft of data breaches at Sony, Target, JPMorgan and other companies, Obama proposed new legislation and took some executive actions to protect Americans' privacy.
"We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests," the president said in remarks at the Federal Trade Commission. “We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused."
But it is unclear whether any of Obama's measures would address personal information stolen from government computers.
Agencies have breached the privacy of millions of Americans – during incidents that had nothing to do with domestic surveillance. The Energy Department, the Office of Personnel Management, the U.S. Postal Service and possibly the State Department took a month, if not longer, to notify individuals affected by malicious compromises.
The Double Standard Issue
Some lawmakers have introduced bills that would compel agencies to come forward about breaches of citizen information.
The Federal Agency Data Breach Notification Act, introduced by Rep. Gerry Connolly, D-Va., last Congress would require, among other things, notifying individual victims within 72 hours after discovering evidence of a personal data breach.
The House passed the 72-hour provision, but the Senate never voted on it. Rules are already in place on notifying the Department of Homeland Security privately about breaches, but not about informing potential victims.
Connolly on Monday said reactions by agency officials to the arguably prescriptive measure changed his mind about pushing the bill. Instead, he plans to closely monitor execution of an overhaul of the Federal Information Security Management Act, or FISMA, enacted December 2014, which contains a looser breach notification clause.
The new law mandates disclosure “as expeditiously as practicable and without unreasonable delay.”
“Based on feedback received from federal agencies concerned about the unintended consequences of a one-size-fits-all standard, I know that the authors of [the FISMA reforms] likely opted for language that would enhance breach notification requirements while providing agencies with the necessary flexibility to respond to unique circumstances,” Connolly told Nextgov by email. “Ultimately, the devil will be in the details. . . Depending on the quality of the guidance, it may be sufficient or there may be a need for Congress to go back and further strengthen that specific provision.”
On Monday night, administration officials told Nextgov in a statement they are "currently reviewing all relevant breach notification policies and will update them in a timely manner in accordance with relevant laws and best practices."
Connolly said he does not feel the administration is applying a double standard by omitting agencies from its legislative agenda. The urgent need to strengthen data breach policies is “not an either/or dilemma” exclusive to either the public or private sector, he said.
“When so much of our nation’s [personal information] is stored in cyberspace, in both government and private information systems, it is incumbent upon federal agencies and private enterprises to share information about breaches and adopt best practices for all systems,” Connolly added.
He said he views the administration’s effort to establish an industry breach notification standard as complementary to the forthcoming FISMA guidelines for agencies.
Connolly said he wants the White House to ensure both the federal agency standard and the broader national standard “reflect the most up-to-date best practices, period."
He added, “Whether one’s [personal information] is stored in a federal system of records, or a commercial public cloud, I think the bottom line for the vast majority of Americans is that they want to know that the legal standards for protecting their private information will be robust in any environment."
Hackers Interrupt Cyber News Conference
Obama’s speech, in an unfortunate coincidence, occurred as news went viral that the military's own social media presence had been hacked. A group purporting to be affiliated with ISIS took over Central Command's Twitter and YouTube account for about a half an hour, defacing them with threatening messages.
The “cyber vandalism” -- the Pentagon’s term for the incident -- struck third-party commercial systems, not Defense Department servers. Some of the content allegedly contained personal contact information for current and retired U.S. military personnel.
"We are notifying appropriate DOD and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible," CENTCOM officials said in a statement.
In advance of next week's State of the Union address, Obama is announcing a slate of cybersecurity reforms. Tomorrow, he is expected to visit the nation's 24-hour cyber threat information-sharing center to encourage industry and agencies to exchange tips about cyber threats.