Feds Could Face Own Breach Notification Demand

If a hacker gains access to a company's database of customers' personal information, that company is required by many state laws to inform those customers that their personal information was exposed. Now federal agencies may be required to do the same, if a bill introduced today is eventually passed.

Rep. Tom Davis, R-Va., ranking member on the House Committee on Oversight and Government Reform, introduced The Federal Agency Data Breach Protection Act (HR 2124), which would amend the Federal Information Security Management Act of 2002 to require "the executive branch establish procedures to be followed in the event of a data breach," according to a press release from Davis' office. The bill also would:

-- clarify the authority that an agency head could delegate to the CIO;

-- require agencies to establish data breach notification procedures consistent with OMB policies, procedures and standards;

-- authorize agencies to establish polices and procedures for accounting for all federal personal property assigned to departing employees; and

-- define sensitive personal information.

The bill is identical to one Davis introduced last year (HR 6163), which was incorporated into The Veterans Identity and Credit Protection Act and passed in September. That law requires the Veterans Affairs Department to promptly notify vets of data breaches, to centralize IT management and to report VA's adherence to federal information security standards.