Senate Committee Sees Cybersecurity Bill as Vehicle to Reform 1974 Privacy Act
The 1974 Privacy Act should be amended to account for the tremendous technological shift in federal data collection practices, members said Tuesday at a Senate Homeland Security and Governmental Affairs Subcommittee on Oversight of Government Management hearing. Chairman Daniel Akaka, D-Hawaii, advocated his amendment to the Senate Cybersecurity Act (S-3414), which would require federal agencies to implement data privacy policies and require agencies to disclose data breaches that involve citizens’ information. “I think it is critical to make agencies prioritize this before a breach occurs,” he said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Many elements of the Act “are simply out of date and do not make sense in the current data environment,” Akaka said. “The Act is difficult to interpret and apply and it provides inconsistent protection to the massive amount of personal information in the hands of the government.” Akaka also promoted his Privacy Act Modernization for the Information Age Act (S-1732) as a means to fix the “serious cracks” in the foundation of federal privacy policy.
Sen. Tom Carper, D-Del., said lawmakers must do more to ensure that sensitive consumer information is properly protected and timely notification to consumers is provided in the event of a breach. “Fraud and identity theft have serious consequences and it is time we make sure government agencies, companies and others handling this sensitive information have rules in place to safeguard this information,” he said in prepared remarks. Carper is a co-sponsor of S-3414 and said the need for “strong measures against privacy breaches is a clear reason why we are debating cybersecurity legislation on the Senate floor right now.”
Ranking Member Ron Johnson, R-Wis., wouldn’t say if he supports Akaka’s amendment to S-3414, but agreed that privacy is “one of the primary issues” that the Senate is dealing with in the bill. “Most people recognize the harm and loss of privacy that comes with the theft of identity and the disclosure of health” records, Johnson said. There’s a “very real conundrum” in government to balance the tension between privacy and the security “that Americans expect,” he said. Johnson co-sponsored an alternative cybersecurity bill, the SECURE IT Act (S-2151), which opposes federal cybersecurity mandates for owners and operators of critical infrastructure.
The government has slowly eroded federal privacy protections and current federal privacy guidance is inadequate, said ACLU Legislative Counsel Chris Calabrese. He backed Akaka’s S-1732 as a means to fix the major problems in federal privacy policy and urged members to amend the Privacy Act. Ensuring the privacy and security of information protected by the federal government remains a challenge, said Greg Wilshusen, GAO director of information security issues. The proper procedures to protect Americans’ privacy should be implemented and Congress should amend the Privacy Act and the E-Government Act, he said. Akaka’s amendment to S-3414 would add civil remedies to the Privacy Act and modernize the E-Government Act to include information gleaned from commercial databases.
The Federal Retirement Thrift Investment Board has undergone a privacy overhaul to improve FRTIB’s privacy posture after suffering a major breach last year, Executive Director Greg Long said. In July 2011, a FRTIB contractor was the subject of a cyberattack that compromised the personal information of more than 123,000 participants in the Thrift Savings Plan, he said. Akaka said his personal information was disclosed in the attack. Though the breach occurred on a contractor’s network, Long said he “deeply regret[s] the cyberattack and the concern it has caused [the board’s] participants.” Long said the agency is redesigning its contract with the company that was responsible for the leak and reassured the chairman that the contract will have “stringent IT security."
The Senate should act promptly to confirm the five nominees for the Privacy and Civil Liberties Oversight Board, said Peter Swire, Office of Management and Budget chief counselor for privacy during the Clinton administration. The Senate Judiciary Committee approved the nominations in May, but Senate Majority Leader Harry Reid, D-Nev., hasn’t scheduled a floor vote on the nominees. Swire urged Congress to create a federal chief privacy officer to take the lead on federal privacy policies and coordinate trans-border privacy issues. He also urged lawmakers to adopt S-1732 as a means to “close a loophole” in the Privacy Act and adopt the FTC’s proposal for defining the federal use of de-identified data.
Rather than updating the Privacy Act, lawmakers should completely rewrite the statute, said Paul Rosenzweig, founder of Red Branch Consulting and a visiting fellow at the Heritage Foundation. “Since I think that its entire structure is mismatched to technological reality, I would advocate a more extended consideration that leads to a complete rewrite of the statute,” he said in his prepared remarks.