Main Nav

The State of Federal Privacy and Data Security Law: Lagging Behind the Times?

On July 31, 2012, the Senate Committee on Homeland Security and Governmental Affairs held a hearing entitled, “The State of Federal Privacy and Data Security Law: Lagging Behind the Times?”  The hearing was held in conjunction with legislation introduced to update the Privacy Act of 1974.  “Despite dramatic technological changes over the last four decades, much of the Privacy Act remains stuck in the 1970s,” said Sen. Daniel Akaka (D-HI), chairman of the Homeland Security Oversight of Government Management Subcommittee, during his opening statement. “As a result, the act is difficult to interpret and apply, and it provides inconsistent protection to the massive amount of personal information in the hands of the government.”

Sen. Akaka’s “Privacy Act Modernization for the Information Age Act of 2011” legislation would help rules governing agencies’ collection of individuals’ personal information keep pace with technology.  The bill would also create the position of federal chief privacy officer; require tighter controls over accessing and maintaining data; and increase penalties for misuse of personal data held by agencies.

The Privacy Act is the law controlling how the federal government collects, uses, and retains personally identifiable information (PII).  This law safeguards privacy through creating four procedural and substantive rights in personal data.  The Electronic Privacy Center (EPIC) highlights four points of the law: First, it requires government agencies to show an individual any records kept on him or her.  Second, it requires agencies to follow certain principles, called "fair information practices," when gathering and handling personal data.  Third, it places restrictions on how agencies can share an individual's data with other people and agencies.  Fourth, it lets individuals sue the government for violating its provisions.

Witnesses at last week’s hearing included:

  • Mary Ellen Callahan, Chief Privacy Officer, Department of Homeland Security
  • Greg Long, Executive Director, Federal Retirement Thrift Investment Board
  • Greg Wilshusen, Director, Information Security Issues, GAO
  • Peter Swire, Professor of Law, Ohio State University
  • Chris Calabrese, Legislative Counsel, ACLU
  • Paul Rosenzweig, Visiting Fellow, Heritage Foundation

Sen. Akaka noted several examples of security breaches involving federal agencies, including one involving a contractor for the Federal Retirement Thrift Investment Board, which handles retirement accounts for federal workers.  Earlier this year, personal information affecting more than 123,000 participants, including the Senator’s own PII, was compromised after a contractor handling that data was hit with a cyberattack.  Sen. Akaka noted, as he questioned Mr. Long, that the board did not have a breach-notification policy in place at the time.

Chris Calabrese testified that federal agencies are exploiting loopholes in the Privacy Act by labeling almost all information as “routine,” which is language in the law and which means that information can be disclosed without having to get a user’s consent.  In addition, he noted that the law does not cover information held by private contractors, a significant concern since many federal agencies are increasingly using databases controlled by private companies.  His testimony was reinforced by Greg Wilshusen who argued that without updates to the Privacy Act and other actions, “Americans’ personally identifiable information remains at risk.”

Peter Swire, who served as the White House’s privacy adviser during the Clinton administration, backed the creation of the federal chief privacy officer post. He also testified that absent legislation to update the Privacy Act one immediate step Congress could take to improve the protections for information held by the government would be to confirm five pending nominees to the Privacy and Civil Liberties Oversight Board (PCLOB). (Note: On August 2, 2012, the Senate confirmed four nominees, but failed to confirm a committee chair.)

While the outcome of this legislation is unknown at this time, EDUCAUSE will continue to monitor and report on this privacy issue.