Washington Markup

Crucial Amendment Added to Cyber Bill Would Improve Federal Agency Handling of Personal Information

By Chris Calabrese, Legislative Counsel, ACLU Washington Legislative Office at 12:11pm

Later Thursday night Sen. Daniel Akaka (D-HI) filed an important amendment to the Senate cybersecurity legislation to begin to reign in the information the federal government collects on all of us. We don’t think about it much but the federal government collects an enormous amount of personal information on a regular basis: in order for citizens to receive benefits and services, to exercise fundamental rights like voting or petitioning the government, for licensing everything from guns to businesses, for employment, education and for many types of health care. In short this information collection is nearly ubiquitous in American life.

But what happens to all this information? We assume that it’s kept secure, used appropriately and that accuracy and other requirements are in place to prevent mistakes and other problems. But unfortunately the baseline federal law that safeguards all this information, the Privacy Act, is almost 40 years old. Over that time, Congress has not kept the law up to date, and loopholes have arisen that have weakened the Privacy Act and endangered our personal privacy. This is part of a larger problem that Sen. Akaka’s committee will investigate at a hearing tomorrow (and where I will testify on the issue) but in the meantime the Senator is offering three straightforward fixes.

Federal Breach Notification Amazingly, in spite of the fact that 46 states require notification in cases when information is lost or stolen, the federal government has no statutory mandate requiring that federal agencies to do the same. There is guidance from the Office of Management and Budget that agencies are supposed follow, but it’s weak and sometimes ignored. For example, in a recent breach involving 123,000 federal employees participating in the Thrift Savings Plan, the agency had no breach notification policy at all. The problem is epidemic with at least 78 federal data breaches and at least 77 million records compromised since 2008. Sen. Akaka’s amendment would direct the Department of Homeland Security to establish requirements for agencies to provide timely notification to individuals and mandate agencies to report on their compliance.

Commercial Databases In recent decades, federal agencies have come to increasingly rely on private databases for personal information on all of us. Agencies use them for background checks, fraud prevention, and as part of law enforcement investigations. The problem is that none of the accuracy and reporting requirements of the Privacy Act apply to these private systems. As a result, these databases contain incorrect information and provide individuals with no way to know how they are used or where information is going. The amendment would simply require agencies to do assessments of these systems and disclose how they are used (these are the same assessments they already perform on their own database systems).

Remedies under the Privacy Act In a bad decision from this term, FAA v. Cooper, the Supreme Court held that the victims of Privacy Act violations can recover only for economic harm (not emotional distress) caused by the violation. In Cooper, the Social Security Administration shared the plaintiff’s HIV status with the Federal Aviation Administration and Department of Transportation in violation of Privacy Act. Even though the plaintiff proved that the agencies violated the Privacy Act, the Court concluded that Congress intended through use of the term “actual damages” to limit recovery under the Privacy Act to those suffering economic harm, and the plaintiff was denied damages for his emotional harm. This amendment would allow victims to recover for all provable harms resulting from the disclosure of private personal information, including mental and emotional distress.

There are still major loopholes to resolve in the Privacy Act. In my testimony next Tuesday I will highlight parts of the law that allow agencies to actually exempt themselves from complying with key components and sidestep others. This has led to many of the national security and law enforcement invasions of privacy we see today. But for now, Senator Akaka has taken a crucial first step to increase transparency and help the victims of violations.

Learn more about cybersecurity: Sign up for breaking news alerts, follow us on Twitter, and like us on Facebook.

Statistics image