Information Security News: Rep. Clay introduces another data security bill

[InfoSec News <alerts () infosecnews org>]

http://www.fcw.com/online/news/151149-1.html

By Jason Miller
FCW.com
December 20, 2007

A new bill introduced by Rep. William Lacy Clay (D-Miss.) earlier this 
week would codify many of the steps the Office of Management and Budget 
took in a series of memos after the flood of data breaches in fiscal 
2006.

Clay, chairman of the House Oversight and Government Reform Committees 
Information Policy, Census and the National Archives Subcommittee, would 
require agencies to develop policies and plans to identify and protect 
personal information and to develop requirements for reporting data 
breaches.

The bill, H.R. 4791, is another in a series of legislative efforts to 
improve how agencies and the private sector prevent and respond to data 
losses. Clay introduced the bill Dec. 18, and it was referred to the 
committee.

OMB recognizes risks to personal information and risks introduced by new 
technologies are increasing, said Karen Evans, the Office of Management 
and Budgets administrator for e-government and information technology. 
We look forward to working with Congress and agencies to strengthen the 
Federal government's information security and privacy programs within 
the existing framework created by" the Federal Information Security 
Management Act.

In the past year, House and Senate members have tried unsuccessfully to 
get data breach legislation into law.

For instance, Rep. Tom Davis (R-Va.), ranking member of the committee, 
in May introduced the Federal Agency Data Breach Protection Act, and 
Sen. Norm Coleman (R-Minn.) followed with a companion version in June. 
Both bills died in committee.

Meanwhile, Sen. Dianne Feinstein (D-Calif.) introduced and the Judiciary 
Committee passed the Notification of Risk to Personal Data Act, and the 
committee also approved the Personal Data Privacy and Security Act of 
2007, sponsored by committee Chairman Patrick Leahy (D-Vt.) and Sen. 
Arlen Specter (R-Pa.), ranking member. The full Senate never brought 
either bill up for a vote.

Clay likely will have to reintroduce his legislation after the December 
recess, when the 111th Congress begins next month. Clay, however, 
already has the support of Rep. Henry Waxman (D-Calif.), committee 
chairman, and Edolphus Towns (D-N.Y.), chairman of the committees 
Government Management, Organization and Procurement Subcommittee, which 
bodes well for the future.

Clays bill follows OMBs 06-16 memo from June 2006 requiring agencies to 
encrypt personal data using standards that would make the information 
unusable by unauthorized persons. It also would mandate that agencies 
establish minimum requirements regarding the protection of information 
maintained or transmitted by mobile digital devices.

?Codifying these requirements is a big step, said Kevin Richards, 
Symantecs manager for federal government relations. The legislation will 
give agencies greater direction than OMBs memos.

Richards said too often agencies are interpreting how to implement the 
requirements.

OMB demanded that agencies use two-factor authentication and encrypt 
data on all mobile devices in addition to requiring devices to time out 
after 30 minutes of inactivity and log all data extracts.

Many agencies have successfully met three of the four requirements but 
still have trouble finding the best way to log data extracts.

The legislation also would require agencies to report data breaches in a 
timely manner to OMB and the Homeland Security Departments U.S. Computer 
Emergency Response Center.

In its July 12, 2006, memo, OMB required agencies to report to the 
center within one hour of learning of a data breach.

What may be more important about Clays bill is that it brings new 
security requirements for peer-to-peer networks and for contractors.

Agencies would be required to develop a plan to protect against the 
risks of peer-to-peer networks, and it details technology and policy 
procedures they should take. The plan would have to be implemented 
within six month of the act becoming law.

The Government Accountability Office also would have to review agency 
plans within 18 months of the act becoming law.

Richards said he was concerned about the bills definition of what a 
peer-to-peer networks is.

He said Symantec, like a lot of other vendors, updates its software 
through a live update connection and that shouldnt be considered a 
peer-to-peer network.

I dont think that is the committees intent, he said. I think it is not 
the technology, but the intent behind the technology." Additionally, 
Clay now wants GAO and agency inspectors general to audit agency 
networks in addition to systems used, operated or supported by 
contractors or subcontractors at any tier.

The bill also incorporates some aspects of the Senates version of the 
E-Government Reauthorization Act, requiring improved privacy impact 
assessments (PIAs), especially of data purchased from data brokers.

But agencies would not be allowed to enter into a contract with data 
brokers one year after the bill becomes law unless the data is from 
media or te ephone directory providers.

This pertains to any database with information in an identifiable form 
concerning U.S. persons unless the head of the agency implements a PIA, 
issues regulations on who is allowed to access, analyze or otherwise use 
the databases and issues standards governing access and analysis of the 
databases.

Finally, the bill would require penalties for vendors on contracts worth 
$500,000 or more if they do not implement a comprehensive personal data 
privacy and security program that includes administrative, technical and 
physical safeguards.

I think this bill is a positive step and it shows that in 2008 the 
committee will make information security a priority issue, Richards 
said.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/