House passes data breach bill

Davis' legislation now goes to the Senate.

A bill that would require all federal agencies to strengthen their protection of sensitive information has passed the House and now moves on to the Senate.

The language is part of a larger bill, the Veterans Identity and Credit Security Act of 2006. Rep. Tom Davis (R-Va.), who introduced the measure applying to all agencies, said he will try to move the language separately if the Senate does not act on the bill.

Davis' legislation would amend the Federal Information Security Management Act, which Davis introduced and championed in 2002. The change directs the Office of Management and Budget to establish procedures for agencies to follow if personal information entrusted to an agency is lost or stolen. It also requires agencies to notify people whose personal information is jeopardized by a security breach and gives chief information officers the power to ensure that agency employees comply with information security laws.

The bill comes after a series of revelations about lost, stolen or exposed data from several agencies.

In a speech Davis delivered on the House floor Sept. 26, he noted that Congress has been working on security requirements for the private sector. "But federal agencies present unique requirements and challenges, and these incidents demonstrate that we need to strengthen the laws and rules protecting personal information held by federal agencies."

The Department of Veterans Affairs had the first widely publicized incident, when thieves stole a laptop computer and external hard drive from the home of an employee who had taken home the items, which contained personal data on more than 26 million veterans. Police later recovered the laptop computer, and the data appeared to have not been touched.

In light of the risk, Davis had his staff investigate the measures agencies take to protect such data. "The results are in, and they are troubling," he said in his floor statement. "We've learned that there have been a wide range of incidents involving data loss or theft, privacy breaches, and security incidents. In almost all of these cases, Congress and the public would not have learned each event unless we had requested the information. This history of withholding incidents has to stop."