Bio
Russell Mickler, Principal Consultant, has over 14 years of professional experience leading and managing IT organizations.
Contact Information
- Mickler & Associates
- Vancouver, WA
- Voice: 360.601.0818
- Fax: 360.397.0468
The Federal Agency Data Breach Protection Act
Written on September 28, 2006
Leave a Comment
|
This week, Rep. Tom Davis (R-VA), Chairman of the House Committee on Government Reform, introduced H.R. 6163 the Federal Agency Data Breach and Protection Act, amending Title 44 of the United States Code, to strengthen security requirements related to security breaches of data.
Really, the act should be renamed to The Federal Laptop Control Act because the language is specifically crafted towards controlling laptops and announcing laptop losses in a timely fashion. This probably has more to do with the negative publicity received from a rash of government laptop thefts over the last year, than “data breach and protection”; at least, we the people are offered a policy in admitting to the government’s embarassing faux-pas. (You mean, we _allowed_ somebody to burn a CD of 26.4 million veterans records in the first place?)
The act introduces requirement for reporting on laptop thefts or losses; sets up a requirement for announcement to Congree and to all known individuals affected; mandates guideance on determining what “timely” is; mandates the agency give guideance on follow-up actions and assistance with identity theft monitoring; and mandates agencies develop and maintain an inventory of personal computers, laptops, and so on (what, serialized asset control wasn’t already happening?).
Because this is a Federal law, this would impact only federal government agencies and not commercial, state, or municipal institutions, but this isn’t what we need. What is really needed is a broader, more encompassing piece of legislation that consistently outlines “due care” obligations and penalties for all institutions that negligently allow theft, loss, or destruction of an individual’s Personal Private Information (PPI). It’s not enough to just scope out child data (COPPA), medical data (HIPAA), financial data (GLB), and educational data (FERPA) and say that this information is particularly private. Instead, we need a bill that suggests all information is private and that there are consequences for “data breach”. That, indeed, would lead to a much higher level of “protection” for all.
R
Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.