The Act “guarantee[s] that the Federal Government is not wasting money on inaccurate data and that vendors are undertaking the security programs that they have promised and for which the government is paying.” – Senator Russ Feingold
“I’ve got some ocean front property in Arizona. From my front porch you can see the sea. And if you’ll buy that I’ll throw in the Golden Gate for free.” – George Strait
Although Senator Feingold’s optimism is well placed, it may be overstated. However, if the Act is passed as presented, the Federal Government will take a substantial step forward in protecting personally identifiable information. Title IV of the Act requires the Federal Government to evaluate the privacy and security program of all data brokers who bid for government contracts in excess of $500,000. Yes, Virginia, even our own Federal Government hires data brokers in order to find out more about you, the taxpayer.
Title IV’s requirements are very specific. The General Services Administration is in charge of reviewing: (1) the data privacy and security program of a data broker to ensure the privacy and security of data containing the personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to-peer file sharing software; (2) the compliance of a data broker with such program; (3) the extent to which the databases and systems containing personally identifiable information of a data broker have been compromised by security breaches; and (4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such security breaches.
Just like the GLBA, Title IV provides a compliance safe harbor. Section 401(b) states, “The data privacy and security program of a data broker shall be deemed sufficient… if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information involved in the ordinary course of business of such data broker.” This compliance safe harbor is vague at best and punts the proverbial football over to the FTC to define what exactly “protection equal to industry standards” means.
If a data broker wants to bid on a government contract, the Act also requires Federal agencies to complete a privacy impact assessment, under section 208 of the E-Government Act of 2002. The privacy impact statement must address the use of commercial information services that contain personally identifiable information. This privacy impact assessment must be completed before the Federal agency enters into a data broker contract and must include a laundry list of specific information regarding the data broker, the broker’s data privacy and security program, and information about the government contract, itself. The privacy impact assessment must include a description of: (1) the database; (2) the name of the data broker; and (3) the contract amount. Additionally, a data broker must adopt regulations that specify: (1) the personnel permitted to access, analyze or use such databases; (2) standards governing the access, analysis, or use of such databases; (3) any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency; (4) standards limiting the retention and redisclosure of personally identifiable information obtained from such databases; (5) procedures ensuring that such data meets standards of accuracy, relevance, completeness and timeliness; (6) the auditing and security measures to protect against unauthorized access, analysis, use or modification of data in such databases; (7) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases; (8) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and (9) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases. If the contract exceeds $500,000, then the government contract must also include penalties for failing to comply with Title III of the Act and for failing to comply with the data broker’s own data privacy and security program.
Interestingly, Title IV also requires the Department of Justice to create a department-wide Chief Privacy Officer who reports directly to the Deputy Attorney General. The Chief Privacy Officer shall oversee the D.O.J.’s implementation of Title IV’s privacy impact assessment requirements and to coordinate with the Privacy and Civil Liberties Oversight Board.
Congress may not pass the Data and Privacy Security Act into law this legislative session. However, law makers and industry leaders agree that this bill is long overdue and that it will eventually pass. The only remaining question is in what form will it pass and when?