Bill Would Require U.S. Agencies To Disclose Theft Of Sensitive Data

Legislation that would require federal agencies to disclose data breaches involving sensitive information was introduced in the House Monday by Rep. Tom Davis, R.-Va., chairman of the House Government Reform Committee. Such a bill would put government agencies on par with businesses, which are required by a patchwork of state laws to notify their customers in such cases.

The measure, HR 6163, would amend the Federal Information Security Management Act to direct the White House Office of Management and Budget to establish procedures for agencies to follow if personal information is lost or stolen. The legislation also would require that individuals be notified if their personal information could be compromised by a breach of data security at a federal agency. Agency CIOs would be expected to ensure that their staffs comply with information security laws and that equipment containing sensitive information is accounted for and secured.

Davis, whose committee oversees government IT, warned that tougher measures could come if the administration doesn't act swiftly. "This bill is a first step," Davis said in a statement. "If new policies and procedures are not forthcoming quickly, or if they lack the teeth to get the job done, I will revisit this matter with additional legislation."

The legislation was prompted by the theft of a laptop PC and external hard drive that contained personal data such as names, birth dates, and Social Security numbers on 26.5 million veterans and military personnel from the home of a Department of Veterans Affairs analyst in May. The devices were recovered nearly two months later, with the data apparently not accessed.