Two items showing the ongoing struggle to maintain the security of personal information.
Government Computer News reported in their July 24 issue that the Office of Management and Budget has tightened requirements for federal agencies to report data breaches. Responding to recently reported data breaches, the OMB guidance reinforces much of current federal law in this area, but the added pressure will hopefully encourage greater compliance. Legislation recently proposed by Representative Davis (R-Virginia) would further define the responsibility of both OMB and agency CIOs with respect to the reporting of data breaches and enforcement of data breach policies.
The memo (PDF), dated July 12, requires agencies to notify the U.S. Computer Emergency Readiness Team (U.S. CERT, part of the Department of Homeland Security) within an hour of discovery. This is already required under the Federal Information Security Management Act of 2002, but the OMB guidance clarifies what kinds of breaches must be reported – “all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches.” It is hoped that this memo will also help improve responses from those agencies that have had trouble implementing FISMA.
You can read the full article online.
From The National Journal’s CongressDaily, we note that the House Energy and Commerce Committee has approved legislation (H.R. 1078, The Social Security Number Protection Act of 2005) criminalizing the sale of Social Security Numbers and empowering the FTC to regulate the practice. The bill needs to be reviewed by the Ways and Means Committee before going to the House floor.