Thanks to the action of the Senate Judiciary Committee this week, it looks like we have not one but two bills addressing data breach notification requirements that would apply broadly to commercial entities. The measure introduced as the Personal Data and Privacy Security Act (S. 1490) and sponsored by by committee chairman Sen. Patrick Leahy is somewhat broader in scope than the Data Breach Notification Act (S. 139) sponsored by Sen Dianne Feinstein, in that Leahy’s bill addresses penalties and enforcement mechanisms for identify theft as well as setting data breach notification requirements. There is a great deal in common between the two bills, so it seems likely (if there is momentum to bring the bills before the fully Senate for deliberation) that they will be combined into a single piece of legislation. Sen. Leahy has been particularly vocal in suggesting that there is growing public demand for a national data breach law, and seems to think the appetite exists in Congress to take up the measure this year or next, despite the fact that similar bills were first introduced four years ago and have never made it through the legislative process to a full vote. Let’s not forget that before we can have a law we need action from the House too; in April Rep. Bobby Rush introduced the Data Accountability and Trust Act (H.R. 2221), in essentially the same form as an identically named piece of legislation introduced in the House during the previous Congress. The House bill was considered over the summer by the House Committee on Energy and Commerce’s Subcommittee on Commerce, Trade, and Consumer Protection and ordered reported out to the full House at the end of September. So the key question now is, when will one or both sides of Congress take up these bills for consideration and action by the full chambers?
The results of a survey conducted recently by HIMSS and Symantec and reported out this week suggest that a majority of healthcare organizations are not yet able to comply with security and privacy requirements and standards, including those included in the HITECH Act. Interesting findings include the fact that fewer than half of the 196 health IT professional surveyed work for companies that have a formally designated chief information security officer (federal agencies are required to have such an position under FISMA, but there is no such requirement on private sector organizations), and a similar number do not have plans or capabilities to respond to security incidents if they occur. No less surprising but still of concern is the apparent choice of about a third of organizations represented by survey respondents to implement available security technology such as encryption of data in transit. The use of encryption for stored data is still not widespread, which is probably to be expected given the small percentage of health technology vendors who offer this capability (it is of course available in most modern database management systems, but the applications must be able to work with the encryption features of the DBMS). This particular issue has gained greater visibility since the passage of the HITECH Act and implementation of the personal health data breach notification rules, both of which have provide an exception to disclosure requirements if the data subject to a breach is unreadable, unusable, or otherwise indecipherable — in other words, encrypted.
Perhaps taking advantage of the increased attention placed on security and privacy issues, including the implementation of new data breach disclosure rules by both HHS and the FTC applicable to personal health information, Senator Patrick Leahy in July introduced S. 1490 as the Personal Data Privacy and Security Act, which the Judiciary Committee began considering this week. The bill would establish standards for data privacy and security programs to protect personally identifiable information, applicable to any business entity not already subject to Graham-Leach-Bliley or HIPAA that collects, uses, stores, transmits, or disposes of records on 10,000 or more people. Entities that would be covered under this proposed legislation would be obligated to implement data privacy and security safeguards and practices, or risk financial penalties of as much as $5,000 per day while in violation. In terms of data breaches, organizations subject to the proposed legislation would have to “notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.” The language as drafted does provide exemptions from disclosure requirements in certain circumstances, including cases where there is no significant risk of harm to individuals whose personal information was part of the breach. In Leahy’s bill however the determination that no significant risk exists is based on the use of encryption or other mechanisms to render the information indecipherable; the technical stipulations do not provide the same subjective “out” contained in the final version of the HHS rules for personal health information breach disclosures. Other provisions in the bill include strengthening of penalties for cases of identity theft and the application of racketeering laws to identity theft, and a requirement that credit reporting agencies receive data breach notifications, in addition to requirements that individuals be notified when their personally identifiable information has been disclosed. The most challenging part of the bill as drafted may be the determination of appropriate safeguards; a similar provision in the HIPAA security rule resulted in the need to develop a formal set of appropriate security controls to deliver the safeguards called for in the law.
In a sharp departure from the more typical agency-level FISMA self-assessments, the internal FISMA audit by the Inspector General of the Department of the Interior reveals serious systemic problems in DOI’s security management, with blame focused on ineffective governance, under-skilled staff, and the failure of bureaus to adhere to departmental and federal-wide guidance. What is interesting about this latest example of poor security program management is that we don’t see more reports of this type, as the structural deficiencies cited by the Interior IG are common in other agencies. Among the key problems highlighted was the way Interior’s security officers tend to push security responsibility out to regional managers, instead of maintaining central oversight at the CISO level. One IG recommendation was therefore to escalate the reporting relationship of the Department CIO so that the CIO reports directly to the Secretary, rather than the current org structure that puts the CIO under the Assistant Secretary for Policy, Budget, and Management. Having the CIO (and by extension, the CISO, who under FISMA is supposed to report to the CIO) a few layers down in the organization, rather than reporting to the Secretary, is hardly unusual: at agencies such as DHS, State, Treasury and HHS, the CIO reports to an executive responsible for management (the Undersecretary for Management at DHS and State; the Assistant Secretary for Management at Treasury; and the Assistant Secretary for Administration and Management at HHS). By contrast, at both the VA and DOD, the CIO is an Assistant Secretary. Judging by other agencies, it would seem less important to whom the CIO reports, and more important just how much delegation of security responsibility is allowed below the bureau level. Any decentralized or federated department will face security management challenges due to differing risk tolerances (and possibly levels of maturity in applying risk management practices), so without strong top-down guidance and enterprise standards for security, findings such as those seen at DOI aren’t very surprising.
Members of Congress show no signs of letting up in efforts to revise or reform or extend various information security regulations. Ideas about updating FISMA — particularly from Senators like Olympia Snowe, John Rockefeller, and Tom Carper — have received a lot of attention this year, as have debates about the appropriate location, role, and reporting structure for whatever individual or position will take top responsibility for federal cybersecurity management and oversight. Now in the House comes the Cybersecurity Coordination and Awareness Act, which among other provisions would assign NIST, already responsible for producing security standards and guidance under FISMA, the task of collaborating with international organizations on security standards. The bill, reported out yesterday by the Technology and Innovation Subcommittee of the House Committee on Science and Technology, might represent a further driver for NIST’s ongoing work to compare and align (if not actually harmonize) the NIST Special Publication 800-53 security control framework with the ISO/IEC 27000 series of controls.
International cooperation on security issues seems to be a theme this week. A global conference on data privacy rules convened in Spain this week, attended by hundreds of delegates from different nations, including Homeland Security Secretary Janet Napolitano, who addressed the International Conference of Data Protection and Privacy Commissioners on Wednesday, stressing the importance of information sharing among nations to improve security for all nations and defend against modern global threats.