recommended reading

Why Doesn’t Obama’s Data Breach Privacy Proposal Apply to Agencies?

President Barack Obama speaks at the Federal Trade Commission offices at the Constitution Center in Washington, Monday, Jan. 12, 2015.

President Barack Obama speaks at the Federal Trade Commission offices at the Constitution Center in Washington, Monday, Jan. 12, 2015. // Carolyn Kaster/AP

President Barack Obama is calling on Congress to mandate that companies whose customer data is breached inform affected individuals within 30 days. But why don’t agencies that are hacked have to notify citizens when their data is compromised?

The silence on the government's responsibility to protect its own data became awkward, as pro-ISIS hackers allegedly leaked personal information on U.S. military members around the same time Obama was speaking.

There currently is no U.S. requirement for notifying breach victims within a certain time period. A hodgepodge of state regulations give companies varying guidance on contacting victims. Less than 30 percent of federal agencies recently surveyed notified affected individuals of high-risk breaches, the Government Accountability Office reported last year.

On Monday, in response to a raft of data breaches at Sony, Target, JPMorgan and other companies, Obama proposed new legislation and took some executive actions to protect Americans' privacy.

"We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests," the president said in remarks at the Federal Trade Commission. “We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused."

But it is unclear whether any of Obama's measures would address personal information stolen from government computers.

Agencies have breached the privacy of millions of Americans – during incidents that had nothing to do with domestic surveillance. The Energy Department, the Office of Personnel Management, the U.S. Postal Service and possibly the State Department took a month, if not longer, to notify individuals affected by malicious compromises. 

The Double Standard Issue

Some lawmakers have introduced bills that would compel agencies to come forward about breaches of citizen information.

The Federal Agency Data Breach Notification Act, introduced by Rep. Gerry Connolly, D-Va., last Congress would require, among other things, notifying individual victims within 72 hours after discovering evidence of a personal data breach.

The House passed the 72-hour provision, but the Senate never voted on it. Rules are already in place on notifying the Department of Homeland Security privately about breaches, but not about informing potential victims.

Connolly on Monday said reactions by agency officials to the arguably prescriptive measure changed his mind about pushing the bill. Instead, he plans to closely monitor execution of an overhaul of the Federal Information Security Management Act, or FISMA, enacted December 2014, which contains a looser breach notification clause. 

The new law mandates disclosure “as expeditiously as practicable and without unreasonable delay.”

“Based on feedback received from federal agencies concerned about the unintended consequences of a one-size-fits-all standard, I know that the authors of [the FISMA reforms] likely opted for language that would enhance breach notification requirements while providing agencies with the necessary flexibility to respond to unique circumstances,” Connolly told Nextgov by email. “Ultimately, the devil will be in the details. . . Depending on the quality of the guidance, it may be sufficient or there may be a need for Congress to go back and further strengthen that specific provision.”

On Monday night, administration officials told Nextgov in a statement they are "currently reviewing all relevant breach notification policies and will update them in a timely manner in accordance with relevant laws and best practices."

Connolly said he does not feel the administration is applying a double standard by omitting agencies from its legislative agenda. The urgent need to strengthen data breach policies is “not an either/or dilemma” exclusive to either the public or private sector, he said.

“When so much of our nation’s [personal information] is stored in cyberspace, in both government and private information systems, it is incumbent upon federal agencies and private enterprises to share information about breaches and adopt best practices for all systems,” Connolly added.

He said he views the administration’s effort to establish an industry breach notification standard as complementary to the forthcoming FISMA guidelines for agencies.

Connolly said he wants the White House to ensure both the federal agency standard and the broader national standard “reflect the most up-to-date best practices, period."

He added, “Whether one’s [personal information] is stored in a federal system of records, or a commercial public cloud, I think the bottom line for the vast majority of Americans is that they want to know that the legal standards for protecting their private information will be robust in any environment."

Hackers Interrupt Cyber News Conference

Obama’s speech, in an unfortunate coincidence, occurred as news went viral that the military's own social media presence had been hacked. A group purporting to be affiliated with ISIS took over Central Command's Twitter and YouTube account for about a half an hour, defacing them with threatening messages.

The “cyber vandalism” -- the Pentagon’s term for the incident -- struck third-party commercial systems, not Defense Department servers. Some of the content allegedly contained personal contact information for current and retired U.S. military personnel.

"We are notifying appropriate DOD and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible," CENTCOM officials said in a statement. 

In advance of next week's State of the Union address, Obama is announcing a slate of cybersecurity reforms. Tomorrow, he is expected to visit the nation's 24-hour cyber threat information-sharing center to encourage industry and agencies to exchange tips about cyber threats.  

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.