Why Doesn’t Obama’s Data Breach Privacy Proposal Apply to Agencies?

President Barack Obama speaks at the Federal Trade Commission offices at the Constitution Center in Washington, Monday, Jan. 12, 2015.

President Barack Obama speaks at the Federal Trade Commission offices at the Constitution Center in Washington, Monday, Jan. 12, 2015. Carolyn Kaster/AP

Currently, there is no law in place requiring hacked agencies to notify citizens when their data is compromised.

President Barack Obama is calling on Congress to mandate that companies whose customer data is breached inform affected individuals within 30 days. But why don’t agencies that are hacked have to notify citizens when their data is compromised?

The silence on the government's responsibility to protect its own data became awkward, as pro-ISIS hackers allegedly leaked personal information on U.S. military members around the same time Obama was speaking.

There currently is no U.S. requirement for notifying breach victims within a certain time period. A hodgepodge of state regulations give companies varying guidance on contacting victims. Less than 30 percent of federal agencies recently surveyed notified affected individuals of high-risk breaches, the Government Accountability Office reported last year.

On Monday, in response to a raft of data breaches at Sony, Target, JPMorgan and other companies, Obama proposed new legislation and took some executive actions to protect Americans' privacy.

"We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests," the president said in remarks at the Federal Trade Commission. “We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused."

But it is unclear whether any of Obama's measures would address personal information stolen from government computers.

Agencies have breached the privacy of millions of Americans – during incidents that had nothing to do with domestic surveillance. The Energy Department, the Office of Personnel Management, the U.S. Postal Service and possibly the State Department took a month, if not longer, to notify individuals affected by malicious compromises. 

The Double Standard Issue

Some lawmakers have introduced bills that would compel agencies to come forward about breaches of citizen information.

The Federal Agency Data Breach Notification Act, introduced by Rep. Gerry Connolly, D-Va., last Congress would require, among other things, notifying individual victims within 72 hours after discovering evidence of a personal data breach.

The House passed the 72-hour provision, but the Senate never voted on it. Rules are already in place on notifying the Department of Homeland Security privately about breaches, but not about informing potential victims.

Connolly on Monday said reactions by agency officials to the arguably prescriptive measure changed his mind about pushing the bill. Instead, he plans to closely monitor execution of an overhaul of the Federal Information Security Management Act, or FISMA, enacted December 2014, which contains a looser breach notification clause. 

The new law mandates disclosure “as expeditiously as practicable and without unreasonable delay.”

“Based on feedback received from federal agencies concerned about the unintended consequences of a one-size-fits-all standard, I know that the authors of [the FISMA reforms] likely opted for language that would enhance breach notification requirements while providing agencies with the necessary flexibility to respond to unique circumstances,” Connolly told Nextgov by email. “Ultimately, the devil will be in the details. . . Depending on the quality of the guidance, it may be sufficient or there may be a need for Congress to go back and further strengthen that specific provision.”

On Monday night, administration officials told Nextgov in a statement they are "currently reviewing all relevant breach notification policies and will update them in a timely manner in accordance with relevant laws and best practices."

Connolly said he does not feel the administration is applying a double standard by omitting agencies from its legislative agenda. The urgent need to strengthen data breach policies is “not an either/or dilemma” exclusive to either the public or private sector, he said.

“When so much of our nation’s [personal information] is stored in cyberspace, in both government and private information systems, it is incumbent upon federal agencies and private enterprises to share information about breaches and adopt best practices for all systems,” Connolly added.

He said he views the administration’s effort to establish an industry breach notification standard as complementary to the forthcoming FISMA guidelines for agencies.

Connolly said he wants the White House to ensure both the federal agency standard and the broader national standard “reflect the most up-to-date best practices, period."

He added, “Whether one’s [personal information] is stored in a federal system of records, or a commercial public cloud, I think the bottom line for the vast majority of Americans is that they want to know that the legal standards for protecting their private information will be robust in any environment."

Hackers Interrupt Cyber News Conference

Obama’s speech, in an unfortunate coincidence, occurred as news went viral that the military's own social media presence had been hacked. A group purporting to be affiliated with ISIS took over Central Command's Twitter and YouTube account for about a half an hour, defacing them with threatening messages.

The “cyber vandalism” -- the Pentagon’s term for the incident -- struck third-party commercial systems, not Defense Department servers. Some of the content allegedly contained personal contact information for current and retired U.S. military personnel.

"We are notifying appropriate DOD and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible," CENTCOM officials said in a statement. 

In advance of next week's State of the Union address, Obama is announcing a slate of cybersecurity reforms. Tomorrow, he is expected to visit the nation's 24-hour cyber threat information-sharing center to encourage industry and agencies to exchange tips about cyber threats.  

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.