Efforts to Update Outdated Privacy Act Gain Momentum

The head of a Senate subcommittee on Tuesday called for an overhaul of the federal privacy laws that stipulate how government agencies collect, use and secure citizens' information.

Daniel Akaka (D-Hawaii), who chairs the Homeland Security and Governmental Affairs Committee's Oversight of Government Management Subcommittee, warned that the 1974 Privacy Act is rife with vague language that no longer provides adequate protections for citizens after nearly four decades of technological advances.

At Tuesday's hearing, Akaka revealed that he was one of dozens of lawmakers whose personal information was compromised in a major security breach involving the agency that oversees the Thrift Savings retirement program for federal workers.

He challenged Greg Long, executive director of the Federal Retirement Thrift Investment Board, about the organization's security posture. In the 2011 breach, which involved a subcontractor's desktop computer that fell prey to a cyberattack, the personal information of more than 123,000 federal workers was compromised, including more than 40,000 Social Security numbers.

Akaka chided Long for having failed to implement guidance that the Office of Management and Budget (OMB) had issued in 2007 directing departments and agencies to strengthen their security defenses and issue prompt notification to anyone whose information might be compromised in a data breach.

Long, in his defense, said that his agency had been hindered in acting on the guidance by scarce resources but that it had taken swift action to improve its security posture since.

He explained that the agency is undertaking a "significant modernization effort" to harden its defenses in areas such as its server environment. He told lawmakers that his staff had made significant progress on the security front, but insisted that the agency would remain vigilant in the face of ever-evolving threats.

"Even with all of this, we know that there are sophisticated attackers out there," Long said.

"We need to go back and redouble our efforts," he added. "We feel that we have been focused on IT security, but this is a wake-up call."

Though the Thrift Savings breach was among the more recent and high-profile security issues to hit the federal government, it was by no means an isolated incident. Akaka noted that implementation of the OMB guidelines has been highly uneven across the departments and agencies. Additionally, he cited the absence of a chief privacy officer at OMB as an example of a shortfall of executive leadership on issues of privacy and security.

Moreover, Akaka called for legislative measures to help protect citizens' personal information. For instance, he has offered an amendment to the comprehensive cybersecurity bill the full Senate is considering this week that would direct the Department of Homeland Security draft rules requiring agencies to notify consumers in the event of a breach.

He has also introduced a bill that would update the Privacy Act, the guiding statute governing how federal agencies use citizens' personal information, a law that he warned has fallen dangerously out of step with the way government authorities use modern technology.

"Unfortunately key pieces of this foundation have serious cracks that need to be fixed," he said.

For instance, Akaka noted limitations on individuals' right to sue government entities for damages for causes other than economic harm under the Privacy Act. That issue came to light in a U.S. Supreme Court case earlier this year when the high court ruled against a plaintiff whose HIV status had been shared with other agencies by the Social Security Administration. The plaintiff had sued for damages claiming emotional distress.

Consumer advocacy groups such as the American Civil Liberties Union have argued that the court's ruling in Federal Aviation Administration vs. Cooper was a major blow against citizens' protections from privacy violations at the hands of their government.

"By many experts' accounts, this decision rendered the act toothless," Akaka said.

Akaka also pointed out what he called a loophole in the Privacy Act that exempts federal agencies' use of databases maintained by firms in the private sector, a common practice among law enforcement authorities and other government entities.

"We should require privacy impact assessments on agencies' use of commercial sources of Americans' private information," he said. "This would provide basic transparency of agencies' use of commercial databases, so that individuals have appropriate protections such as access, notice, correction and purpose limitations."

Greg Wilshusen, director of information security issues at the Government Accountability Office, testified that agencies should develop and adhere to certain best practices for collecting and using personal information that would curb the privacy risks for citizens, similar to those that leading Internet companies have been developing in the private sector. For instance, Wilshusen recommended that government organizations confine the amount of information they collect to a specific program, and place restrictions on the duration that that information can be retained.

"If federal agencies are collecting information for a stated purpose, once that purpose has been achieved, if they continue to retain that information indefinitely, to no other particular use, then that -- potentially, if the appropriate security controls are not placed over that information, could be subject to risk of unauthorized disclosure to someone who might be able to break into their systems or gain access to that information," he said. "So the principle is just for as long as you need the information, keep it, protect it. Once that need no longer exists, then get rid of it. Delete it."

Wilshusen also described the alarming volume and increase in the number of security breaches involving personally identifiable information (PII) in recent years as the government's digital infrastructure expands and comes under more frequent attack.

In 2010, federal agencies reported just over 13,000 security incidents involving personal information. Last year, that number spiked 19 percent as agencies reported 15,560 such incidents.

The GAO is recommending that federal agencies apply consistent standards to their data-collection programs and their use of personal information, as well as taking more steps to inform the public about privacy protections and limit the use of PII.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.

Read more about privacy in CIO's Privacy Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts