Federal Agency Data Protection Act

To amend title 44, United States Code, to strengthen requirements for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets, and for other purposes.

6/3/2008--Passed House amended. Federal Agency Data Protection Act -
(Sec. 3) Defines "personally identifiable information" as any information about an individual maintained by a federal agency, including information about the individual's education, finances, medical, criminal, or employment history, that can be used to distinguish or trace such individual's identity or that is otherwise linked or linkable to the individual.
(Sec. 4) Includes within the information security duties of the Director of the Office of Management and Budget (OMB):
(1) reviewing agency information security programs, including plans and schedules, developed on the basis of priorities for addressing levels of identified risk, for conducting testing and evaluation and remedial action to address deficiencies;
(2) establishing minimum requirements for the protection of personally identifiable information maintained in or transmitted by mobile digital devices, including requirements for the use of technologies that efficiently and effectively render information unusable by unauthorized persons;
(3) requiring agencies to comply with minimally acceptable system configuration requirements consistent with best practices, including checklists developed under the Cyber Security Research and Development Act by the Director of the National Institute of Standards and Technology, and minimally acceptable requirements for periodic testing and evaluation of the implementation of such configuration requirements;
(4) ensuring that agency contracts for the provision of information technology products or services include requirements for contractors to meet such configuration requirements; and
(5) ensuring the establishment of contract requirements to ensure compliance with this Act with regard to providing security for information and information systems used or operated by an agency contractor or other organization on the agency's behalf.

(Sec. 5) Requires agencies to include in their information security programs:
(1) policies and procedures that ensure compliance with minimally acceptable system configuration requirements as required by the Director (currently, the agency);
(2) periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices as approved by the Director that include testing of systems operated by an agency contractor; and
(3) plans and procedures for ensuring the adequacy of information security protections for systems maintaining or transmitting personally identifiable information, including requirements for maintaining a current inventory of such systems, implementing information security requirements for mobile digital devices maintaining or transmitting such information, and developing, implementing, and overseeing remediation plans to address vulnerabilities in information security protections. Allows testing requirements to be satisfied by independent testing, evaluation, or audits.

(Sec. 6) Requires the Director to report to Congress on a summary of information security breaches reported by agencies to the Director and the federal information security incident center.
Requires the Director to oversee the establishment of policies, procedures, and standards for agencies to follow in the event of a breach involving the disclosure of personally identifiable information, specifically including:
(1) a requirement for timely notice to those individuals whose information could be compromised, except when the breach does not create a reasonable risk of identity theft, fraud, or other unlawful conduct or of other harm to the individual;
(2) guidance regarding whether additional special actions are necessary and appropriate, including data breach analysis, fraud resolution services, identify theft insurance, and credit protection or monitoring services; and
(3) a requirement for the timely reporting of such breaches to the Director and federal information security center.
Requires agency heads to delegate to their Chief Information Officer the authority to ensure compliance and to enforce information security requirements, including developing and maintaining an inventory of personal computers laptops or hardware containing personally identifiable information.
Requires agencies to include in their information security programs:
(1) procedures for notifying individuals whose personally identifiable information may have been compromised or accessed following a breach; and
(2) procedures for the timely reporting of breaches involving personally identifiable information.
Includes among functions of Chief Human Capital Officers the prescription of policies and procedures for exit interviews of employees, including a full accounting of all federal personal property assigned.
(Sec. 7) Requires agency heads to implement expeditiously and revise as necessary a plan to ensure the security and privacy of information collected or maintained by or on behalf of agencies from the risks posed by certain peer-to-peer file sharing programs. Requires the Comptroller General to review and report to specified congressional committees on the adequacy of such plans.
(Sec. 8) Requires audits (currently, evaluations are required) of agency information programs and practices to determine whether information security controls are effective.

(Sec. 9) Amends the E-Government Act of 2002 to require the Director to develop best practices for agencies to follow in conducting privacy impact assessments.


... morehide bill summarySee Full Bill Text

Sponsor

• Rep. William Clay [D, MO-1]
• and 2 Co-Sponsors
  • Rep. Edolphus Towns [D, NY-10]
  • Rep. Henry Waxman [D, CA-30]
  close

Committees

• Senate Homeland Security and Governmental Affairs
• 2 more
  • House Oversight and Government Reform
  • House Oversight and Government Reform
  close

Amendments

This bill has no amendments.

Amendments to H.R.4791

Number	Status	Purpose

Bill Status

Make a Bill Status Widget

	OpenCongress widgets allow you to display information about bills and issue areas on your own website or blog. First, select which bill or issue you want to track, then customize the appearance of the panel, and finally paste a simple chunk of HTML into your site. Now your community will have an easy, up-to-date way to track the status of important bills and issues in Congress.

Introduced		Voted on by House		Voted on by Senate		Considered By President		Bill Becomes Law
December 18, 2007		June 03, 2008

Show All Actions (13 actions)Hide Actions

All Bill Actions

• Jun 04, 2008: Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
• Passed by voice vote in the House on Jun 03, 2008. On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote.
• Jun 03, 2008: DEBATE - The House proceeded with forty minutes of debate on H.R. 4791.
• Jun 03, 2008: Considered under suspension of the rules.
• Jun 03, 2008: Mr. Clay moved to suspend the rules and pass the bill, as amended.
• Added to calendar on May 21, 2008: Placed on the Union Calendar, Calendar No. 417..
• May 21, 2008: Reported (Amended) by the Committee on Oversight and Government. H. Rept. 110-664.
• Added to calendar on Apr 16, 2008: Ordered to be Reported (Amended) by Voice Vote..
• Apr 16, 2008: Subcommittee on Information Policy, Census, and National Archives Discharged.
• Feb 14, 2008: Subcommittee Hearings Held.
• Jan 16, 2008: Referred to the Subcommittee on Information Policy, Census, and National Archives.
• Dec 18, 2007: Referred to the House Committee on Oversight and Government Reform.
• Introduced on Dec 18, 2007.

---

Related Issue Areas:

• Technology
• Student records
• Security measures
• Right of privacy
• 37 more
• Public records
• Public contracts
• Personnel records
• Office of Management and Budget
• Medicine
• Medical records
• Medical care
• Law
• Labor
• Information services
• Identity theft
• Identification devices
• Higher education
• Government publicity
• Government property
• Government procurement
• Government paperwork
• Government contractors
• Fraud
• Financial statements
• Finance
• Executive departments
• Encryption
• Elementary and secondary education
• Education
• Data banks
• Criminal justice information
• Criminal justice
• Credit insurance
• Computers
• Computer security measures
• Computer networks
• Civil liberties
• Budgets
• Authorization
• Administrative procedure
• Government information

Data from the Congressional Research Service

Users tracking H.R.4791 (4) are also tracking:

Show More User Statistics... Hide User Statistics

In the News

June 04, 2008 EMC lobbying dollars reached $730000 in first quarter

EMC has put its weight behind HR 4791, a bill which seeks to formalize data breach/loss reporting requirements and mandates encryption of personal and ...

Was this article useful? Yes or No

Source: Register, UK

Did you find this article useful? Your opinion counts - together, we're finding the very best news and blog coverage about Congress available on the web.

December 20, 2007 Rep. Clay introduces another data security bill

The bill, HR 4791, is another in a series of legislative efforts to improve how agencies and the private sector prevent and respond to data losses. ...

Was this article useful? Yes or No

Source: FCW.com, VA

Did you find this article useful? Your opinion counts - together, we're finding the very best news and blog coverage about Congress available on the web.

See most useful news articles

Information made available by:

Blog Coverage

June 19, 2008 US House Passes Data Security Legislation

Source: Lexology, June, 19, 2008. House passes data security legislation Blank Rome LLP "On June 3, the Federal Agency Protection Act, HR 4791, passed the House by voice vote under suspension of the rules."

Was this article useful? Yes or No

Source: New York Supreme Court Criminal Term Library

Did you find this article useful? Your opinion counts - together, we're finding the very best news and blog coverage about Congress available on the web.

June 01, 2008 Hr

The pitch was an 82 MPH fastball right down the heart of the plate Hr Therefore, without further ado, HR 4791! The OMB is required to conduct tests and evaluations of plans and schedules to determine and correct deficiencies in ...

Was this article useful? Yes or No

Source: Hr4437

Did you find this article useful? Your opinion counts - together, we're finding the very best news and blog coverage about Congress available on the web.

June 01, 2008 HR 4791- Federal Agency Data Protection Act

Therefore, without further ado, HR 4791! The OMB is required to conduct tests and evaluations of plans and schedules to determine and correct deficiencies in governmental compliance with the checklist of security procedures enacted in ...

Was this article useful? Yes or No

Source: The Bill Reader

Did you find this article useful? Your opinion counts - together, we're finding the very best news and blog coverage about Congress available on the web.

12 more posts...
See most useful blog posts

Information made available by: