Feds Not Yet Required to Notify Individuals of Data Breaches, But They Should Be, and Soon

Posted by Joe Addiego

The San Francisco Chronicle recently reported that since 2003, nineteen different federal agencies have suffered the loss or theft of confidential data pertaining to individuals, yet few, if any, of these agencies reported the breaches. The reason? There are no data breach reporting requirements applicable to the federal government, which begs the question, why not? This lack of accountability for the feds is particularly troubling, since thirty three different states already have passed data breach notification laws.

Representative Tom Davis from Virginia, which perhaps not coincidentally is one of the states that has a notification law, introduced on July 19, 2006 H.R. 6163, the Federal Agency Data Breach Protection Act, which would amend title 44 of the U.S. to:

(1) instruct the Director of Office of Management and Budget to establish policies, procedures, and standards for agencies to follow in the event of a breach of data security involving disclosure of sensitive personal information in violation of federal law; and (2) require timely notification to individuals whose sensitive personal information could be compromised as a result of such breach.

This bill has drawn criticism, because it would only require notification if there is a reasonable risk of identity theft as a result of the security breach, and because it does not specify who must make this determination. Nevertheless, imposing disclosure requirements on the feds is a step in the right direction. This bill, or one like it with more stringent terms, needs to be passed into law, and hopefully the remaining 17 states will follow suit.