recommended reading

Why Doesn’t Obama’s Data Breach Privacy Proposal Apply to Agencies?

President Barack Obama speaks at the Federal Trade Commission offices at the Constitution Center in Washington, Monday, Jan. 12, 2015.

President Barack Obama speaks at the Federal Trade Commission offices at the Constitution Center in Washington, Monday, Jan. 12, 2015. // Carolyn Kaster/AP

President Barack Obama is calling on Congress to mandate that companies whose customer data is breached inform affected individuals within 30 days. But why don’t agencies that are hacked have to notify citizens when their data is compromised?

The silence on the government's responsibility to protect its own data became awkward, as pro-ISIS hackers allegedly leaked personal information on U.S. military members around the same time Obama was speaking.

There currently is no U.S. requirement for notifying breach victims within a certain time period. A hodgepodge of state regulations give companies varying guidance on contacting victims. Less than 30 percent of federal agencies recently surveyed notified affected individuals of high-risk breaches, the Government Accountability Office reported last year.

On Monday, in response to a raft of data breaches at Sony, Target, JPMorgan and other companies, Obama proposed new legislation and took some executive actions to protect Americans' privacy.

"We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests," the president said in remarks at the Federal Trade Commission. “We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused."

But it is unclear whether any of Obama's measures would address personal information stolen from government computers.

Agencies have breached the privacy of millions of Americans – during incidents that had nothing to do with domestic surveillance. The Energy Department, the Office of Personnel Management, the U.S. Postal Service and possibly the State Department took a month, if not longer, to notify individuals affected by malicious compromises. 

The Double Standard Issue

Some lawmakers have introduced bills that would compel agencies to come forward about breaches of citizen information.

The Federal Agency Data Breach Notification Act, introduced by Rep. Gerry Connolly, D-Va., last Congress would require, among other things, notifying individual victims within 72 hours after discovering evidence of a personal data breach.

The House passed the 72-hour provision, but the Senate never voted on it. Rules are already in place on notifying the Department of Homeland Security privately about breaches, but not about informing potential victims.

Connolly on Monday said reactions by agency officials to the arguably prescriptive measure changed his mind about pushing the bill. Instead, he plans to closely monitor execution of an overhaul of the Federal Information Security Management Act, or FISMA, enacted December 2014, which contains a looser breach notification clause. 

The new law mandates disclosure “as expeditiously as practicable and without unreasonable delay.”

“Based on feedback received from federal agencies concerned about the unintended consequences of a one-size-fits-all standard, I know that the authors of [the FISMA reforms] likely opted for language that would enhance breach notification requirements while providing agencies with the necessary flexibility to respond to unique circumstances,” Connolly told Nextgov by email. “Ultimately, the devil will be in the details. . . Depending on the quality of the guidance, it may be sufficient or there may be a need for Congress to go back and further strengthen that specific provision.”

On Monday night, administration officials told Nextgov in a statement they are "currently reviewing all relevant breach notification policies and will update them in a timely manner in accordance with relevant laws and best practices."

Connolly said he does not feel the administration is applying a double standard by omitting agencies from its legislative agenda. The urgent need to strengthen data breach policies is “not an either/or dilemma” exclusive to either the public or private sector, he said.

“When so much of our nation’s [personal information] is stored in cyberspace, in both government and private information systems, it is incumbent upon federal agencies and private enterprises to share information about breaches and adopt best practices for all systems,” Connolly added.

He said he views the administration’s effort to establish an industry breach notification standard as complementary to the forthcoming FISMA guidelines for agencies.

Connolly said he wants the White House to ensure both the federal agency standard and the broader national standard “reflect the most up-to-date best practices, period."

He added, “Whether one’s [personal information] is stored in a federal system of records, or a commercial public cloud, I think the bottom line for the vast majority of Americans is that they want to know that the legal standards for protecting their private information will be robust in any environment."

Hackers Interrupt Cyber News Conference

Obama’s speech, in an unfortunate coincidence, occurred as news went viral that the military's own social media presence had been hacked. A group purporting to be affiliated with ISIS took over Central Command's Twitter and YouTube account for about a half an hour, defacing them with threatening messages.

The “cyber vandalism” -- the Pentagon’s term for the incident -- struck third-party commercial systems, not Defense Department servers. Some of the content allegedly contained personal contact information for current and retired U.S. military personnel.

"We are notifying appropriate DOD and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible," CENTCOM officials said in a statement. 

In advance of next week's State of the Union address, Obama is announcing a slate of cybersecurity reforms. Tomorrow, he is expected to visit the nation's 24-hour cyber threat information-sharing center to encourage industry and agencies to exchange tips about cyber threats.  

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.