Efforts to Update Outdated Privacy Act Gain Momentum
- — 01 August, 2012 14:00
The head of a Senate subcommittee on Tuesday called for an overhaul of the federal privacy laws that stipulate how government agencies collect, use and secure citizens' information.
Daniel Akaka (D-Hawaii), who chairs the Homeland Security and Governmental Affairs Committee's Oversight of Government Management Subcommittee, warned that the 1974 Privacy Act is rife with vague language that no longer provides adequate protections for citizens after nearly four decades of technological advances.
At Tuesday's hearing, Akaka revealed that he was one of dozens of lawmakers whose personal information was compromised in a major security breach involving the agency that oversees the Thrift Savings retirement program for federal workers.
He challenged Greg Long, executive director of the Federal Retirement Thrift Investment Board, about the organization's security posture. In the 2011 breach, which involved a subcontractor's desktop computer that fell prey to a cyberattack, the personal information of more than 123,000 federal workers was compromised, including more than 40,000 Social Security numbers.
Akaka chided Long for having failed to implement guidance that the Office of Management and Budget (OMB) had issued in 2007 directing departments and agencies to strengthen their security defenses and issue prompt notification to anyone whose information might be compromised in a data breach.
Long, in his defense, said that his agency had been hindered in acting on the guidance by scarce resources but that it had taken swift action to improve its security posture since.
He explained that the agency is undertaking a "significant modernization effort" to harden its defenses in areas such as its server environment. He told lawmakers that his staff had made significant progress on the security front, but insisted that the agency would remain vigilant in the face of ever-evolving threats.
"Even with all of this, we know that there are sophisticated attackers out there," Long said.
"We need to go back and redouble our efforts," he added. "We feel that we have been focused on IT security, but this is a wake-up call."
Though the Thrift Savings breach was among the more recent and high-profile security issues to hit the federal government, it was by no means an isolated incident. Akaka noted that implementation of the OMB guidelines has been highly uneven across the departments and agencies. Additionally, he cited the absence of a chief privacy officer at OMB as an example of a shortfall of executive leadership on issues of privacy and security.
Moreover, Akaka called for legislative measures to help protect citizens' personal information. For instance, he has offered an amendment to the comprehensive cybersecurity bill the full Senate is considering this week that would direct the Department of Homeland Security draft rules requiring agencies to notify consumers in the event of a breach.
He has also introduced a bill that would update the Privacy Act, the guiding statute governing how federal agencies use citizens' personal information, a law that he warned has fallen dangerously out of step with the way government authorities use modern technology.
"Unfortunately key pieces of this foundation have serious cracks that need to be fixed," he said.
For instance, Akaka noted limitations on individuals' right to sue government entities for damages for causes other than economic harm under the Privacy Act. That issue came to light in a U.S. Supreme Court case earlier this year when the high court ruled against a plaintiff whose HIV status had been shared with other agencies by the Social Security Administration. The plaintiff had sued for damages claiming emotional distress.
Consumer advocacy groups such as the American Civil Liberties Union have argued that the court's ruling in Federal Aviation Administration vs. Cooper was a major blow against citizens' protections from privacy violations at the hands of their government.
"By many experts' accounts, this decision rendered the act toothless," Akaka said.
Akaka also pointed out what he called a loophole in the Privacy Act that exempts federal agencies' use of databases maintained by firms in the private sector, a common practice among law enforcement authorities and other government entities.
"We should require privacy impact assessments on agencies' use of commercial sources of Americans' private information," he said. "This would provide basic transparency of agencies' use of commercial databases, so that individuals have appropriate protections such as access, notice, correction and purpose limitations."
Greg Wilshusen, director of information security issues at the Government Accountability Office, testified that agencies should develop and adhere to certain best practices for collecting and using personal information that would curb the privacy risks for citizens, similar to those that leading Internet companies have been developing in the private sector. For instance, Wilshusen recommended that government organizations confine the amount of information they collect to a specific program, and place restrictions on the duration that that information can be retained.
"If federal agencies are collecting information for a stated purpose, once that purpose has been achieved, if they continue to retain that information indefinitely, to no other particular use, then that -- potentially, if the appropriate security controls are not placed over that information, could be subject to risk of unauthorized disclosure to someone who might be able to break into their systems or gain access to that information," he said. "So the principle is just for as long as you need the information, keep it, protect it. Once that need no longer exists, then get rid of it. Delete it."
Wilshusen also described the alarming volume and increase in the number of security breaches involving personally identifiable information (PII) in recent years as the government's digital infrastructure expands and comes under more frequent attack.
In 2010, federal agencies reported just over 13,000 security incidents involving personal information. Last year, that number spiked 19 percent as agencies reported 15,560 such incidents.
The GAO is recommending that federal agencies apply consistent standards to their data-collection programs and their use of personal information, as well as taking more steps to inform the public about privacy protections and limit the use of PII.
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about privacy in CIO's Privacy Drilldown.