Feds Seek Faster Breach Notices

Legislation would require agencies to publicly disclose data compromises

The governmentwide fallout from the massive security breach at the U.S. Department of Veterans Affairs continued last week, as an influential congressman proposed legislation that would require federal agencies to notify the public if sensitive data were lost or stolen.

The legislation filed by Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform, calls for the White House Office of Management and Budget to set disclosure policies and standards for agencies to follow for breaches involving personal data.

The OMB already toughened the internal breach-notification requirements for agencies via a July 12 memo issued by de facto federal CIO Karen Evans. Agencies now must report any incident involving personally identifiable information to the U.S. Department of Homeland Security within one hour of discovering it, Evans wrote. That includes both confirmed and suspected breaches, she added.

In a statement last week, Davis said his attempt to amend the Federal Information Security Management Act is also aimed at forcing agencies to disclose breaches more quickly. "We have seen too many recent examples when sensitive data has been lost or stolen and agencies have moved too slowly to acknowledge the problem and take steps to limit the potential damage," he said.

For instance, the theft of a laptop PC and external disk drive that triggered the breach at the VA took place on May 3. VA Secretary R. James Nicholson wasn't informed of the incident until May 16, and the agency waited another seven days before it publicly disclosed the breach.

At a hearing held by the Senate Committee on Veterans' Affairs last Thursday, Nicholson testified about the dilemma he had faced over whether the VA should further delay the disclosure or go public with the news and potentially alert the thief about the kind of data that the stolen equipment contained. "We had a very big powwow, and there were pros and cons, and I made the decision that we needed to inform," he said. New Mood on Capitol Hill

But as evidence of the mood in Washington, Sen. Richard Burr (R-N.C.) told Nicholson that Congress should have been immediately notified about the breach. "There should be no debate [about that]," Burr said.

Under the OMB's modified policy on internal breach disclosures, the one-hour reporting requirement now applies to incidents involving the improper use of sensitive data, such as storing it on a home computer without adequate protection, said Gartner Inc. analyst John Pescatore. Previously, only breaches involving unauthorized access to data had to be reported so quickly.

The memo sent by Evans to federal agency CIOs represents a step forward in the government's thinking on information security, Pescatore said. Agencies will likely be challenged to meet the one-hour reporting deadline for all incidents, he acknowledged. But, he added, requiring them to file notices more quickly could allow the government's incident response teams to take faster action on breaches.

Much depends on the kind of reporting structure and escalation processes that exist within an agency, said Bruce Brody, a former chief information security officer at the VA who is now an analyst at Input in Reston, Va.

OMB officials "are assuming that there's a centralized authority that is part of the escalation process," Brody said. In reality, such a structure simply doesn't exist within most federal agencies, he added. When breaches occur in such situations, he asked, "who reports it, and at what level does the decision get made to pass the information on to the OMB?"

The new policy could also result in a high number of "false positives" being reported to the DHS, said Doug Howard, chief operating officer at Counterpane Internet Security Inc., a managed security services provider in Mountain View, Calif. Each time someone left a laptop in a car or at an airport security check-in, a report would have to be filed immediately, Howard noted. "It's just burdensome," he said.

The July 12 memo also requires agencies to specify the amounts they're requesting for correcting "steady-state" systems' security weaknesses, versus funds they're seeking for systems development or modernization projects.

The directive from Evans followed a memo from another OMB official last month that gave agencies 45 days to implement a prescribed set of security controls for protecting sensitive data when it is accessed from remote locations or stored on laptop PCs and other mobile devices.

In another development last week, the House Committee on Veterans' Affairs approved a bill that would elevate the VA's CIO and CISO to higher management levels within the agency. The Veterans Identity and Credit Security Act would also require the VA to provide timely notifications of breaches to Congress and evaluate the idea of using personal identification numbers instead of Social Security numbers to identify veterans.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon