March 21, 2008 12:16 PM Posted By News Questions & comments 0

Federal Privacy Law and Accessing Personal Records Held by Federal Agencies

Two State Department contractors were fired and a third was suspended for improperly accessing Senator Barack Obama's passport file, the Washington Post reported. Senator John McCain and Senator Hillary Clinton's files were also improperly accessed, the New York Times reported. Although the earliest of the three incidents occurred on January 9, 2008, the State Department did not notify Senator Obama regarding the alleged breaches and possible violation of the Privacy Act until March 21, 2008. Congressman Henry Waxman, who chairs the committee of jurisdiction over the matter, is calling for the State Department to identify the contractors involved in the data breach.

A February 2008 GAO Report criticized federal agencies for "not implement[ing] controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information." In an April 2007 "Federal Computer Security Report Card," Representative Tom Davis, ranking member of the House Oversight and Government Reform Committee, gave the State Department an "F," as compared with a government-wide grade of "C-. A 2006 OMB Report found that the Department of State "rarely" "performs oversight and evaluation to ensure information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB Policy and NIST guidance."

A July 2007 Congressional Research Service Report examined the Privacy Act (which governs the collection, use, and dissemination of a record about an individual maintained by federal agencies in a system of records), the Federal Information Security Management Act (FISMA) (which requires federal government agencies to provide information security protections for agency information and information systems), and the Office of Management and Budget's "Breach Notification Policy, in a report entitled "Information Security and Data Breach Notification Safeguards."

According to the Report, the Privacy Act requires each agency to "establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained." Legal remedies for breaches of the Act include a civil suit against the Agency, with actual damages of $1,000 or more to the individual for intentional or willful violations, and criminal penalties.

FISMA, according to the Report, requires federal agencies to "develop, document, and implement an agency-wide information security program 'providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization of behalf of an agency." An agency's security information plan "must include procedures for detecting, reporting, and responding to security incidents . . . ."

The Office of Management and Budget issued a guidance memorandum entitled "Safeguarding Against and Responding to the Breach of Personally Identifiable Information," which required all federal agencies to implement a breach notification policy within 120 days of the August 22, 2007 memorandum. Attachment 3 to the Memorandum, labeled "External Breach Notification," requires agencies to have a plan that addresses (1) whether breach notification is required, (2) the timeliness of the notification, (3) the source of the notification, (4) the contents of the notification, and (5) who receives the notification. The CRS Report explains  that "when the breach involves a federal contractor or an entity operating a system of records for the agency, the agency must issue the notification and undertake corrective actions." Attachment 4 to the Memorandum, as described by CRS, notes that supervisors may be subject to disciplinary action for failure to take appropriate action upon discovering the breach. A search of the Department of State's website did not uncover a "breach notification policy" and a call requesting information was not immediately returned, although the existence of such a policy was referenced in testimony by Susan Swart on March 12, 2008 before the Senate.

In that testimony, Susan Swart, the Department of State's Chief Information Officer, said:

The Department continues its commitment to comply with Privacy Act provisions, protecting the rights of American citizens and aliens admitted for permanent residence and safeguarding personal information regardless of physical format. . . . More recently, the Department formed the Privacy Protection Governance Board to heighten awareness and ensure the protection of personally identifiable information in all aspects of the Department’s programs and activities. The Board brings together Assistant Secretaries from throughout the Department to address the interdependencies among the security, technology, and business aspects requisite to minimizing and reducing the collection, use, and dissemination of personal information – and especially Social Security Numbers – and to safeguarding this sensitive information in all formats, particularly in today’s dynamic electronic environment. The Department’s accomplishments include the development of a Breach Notification Policy; . . . While we have made considerable progress, we recognize that more work needs to be done to protect personal information within the Department.

Resources:


Post A Comment / Question






Remember personal info?