Federal Contractors To Deal With Federal File Sharing Concerns

Posted on March 29, 2010 by Joseph Lazzarotti

Under a measure passed overwhelmingly by the U.S. House of Representatives (408-13), federal contractors would be required to adopt measures established by the Office of Management and Budget to limit open network peer-to-peer file sharing software (P2P Software). Likely a response to the leakage of House and Senate ethics investigations, if the “Secure Federal File Sharing Act” (H.R. 4098) (pdf) becomes law it would be the first widespread federal statute regulating P2P Software.

Under the law, federal government employees and contractors would be prohibited from downloading, installing, or using P2P Software on federal computers without government approval. Federal agencies would be required to take steps to find and remove P2P Software from such computers, including those government computers operated by contractors. In particular, the Act requires OMB guidelines to:

to address the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf.

Within 90 days of enactment, OMB will need to set up a procedure for approving the use of P2P Software. Within 180 days of enactment, with respect to contractors, agencies will need to

  1. require any contract awarded by the agency to include a requirement that the contractor comply with OMB guidance in the performance of the contract;
  2. update their information technology security or ethics training policies to ensure that all employees working for contractors on the government’s behalf are aware of the requirements of OMB guidance and the consequences of engaging in prohibited conduct; and
  3. ensure that proper security controls are in place to prevent, detect, and remove file sharing software that is prohibited by the OMB guidance from all federal computers, computer systems, and networks operated by contractors on the government’s behalf.

Numerous examples of data leaks caused by irresponsible use of P2P Software should push all businesses to take steps to use this potentially valuable technology more carefully. 

Tags: , , , , , ,

House of Representatives Passes the Data Accountability and Trust Act

Posted on December 9, 2009 by Joseph Lazzarotti

As passed by the House of Representatives on December 8, 2009, the Data Accountability and Trust Act would create federal data security standards, a national breach notification requirement, data destruction mandates, and special requirements for "information brokers." 

Thumbnail for version as of 23:34, 16 January 2008The Act will now move to the Senate, where it likely will be considered together with recent bills from various Senate Committees, two such bills we discussed in a recent post.

The Act would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information (or contracts to have any third party entity maintain such data). In short, most businesses in the United States would be subject to the Act and required to establish and implement data security policies and procedures. Like other data security regulations, the Act would permit covered persons, when developing their policies and procedures, to take into account:

  • the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
  • the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
  • the cost of implementing such safeguards.

These new standards will be regulated by the Federal Trade Commission (FTC). Violations of the Act would be enforced primarily by state Attorneys General, although the FTC maintains a right to intervene in those actions. Penalties can be substantial. For example, in the case of a violation of the breach notification requirement, the penalty amount would be calculated by multiplying the number of violations by an amount not greater than $11,000. Each failure to send notification would be treated as a separate violation, with a maximum civil penalty of $5,000,000.

Of course, it will be some time before the Act would become effective, if at all, and it may be substantially modified prior to enactment. Still, recent actions by Congress (for example the enhancements to HIPAA under the American Recovery and Reinvestment Act of 2009) and the states suggest a national standard for protecting personal information is only a matter of time. Companies should be gearing up to deal with these emerging information risks.

For purposes of the Act, the term ‘personal information’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

  • Social Security number.
  • Driver’s license number or other State identification number.
  • Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

The Act would require a covered person to establish policies and procedures that include:

  • A policy concerning the collection, use, sale, other dissemination, and maintenance of such personal information.
  • Naming an officer or other point person concerning the management of information security.
  • Developing a process for identifying and assessing any reasonably foreseeable vulnerabilities in the person’s electronic systems, include regularly monitoring for breaches of security.
  • Having a process for taking preventive and corrective action to mitigate against any such vulnerabilities.
  • Implementing a process for disposing of obsolete data in electronic form containing personal information.

The Act also would establish a nationwide data breach notification standard. The new standard would be similar in overall format to existing state breach notification laws and the new notification requirement under the HIPAA privacy regulations. While the Act would require notice only if there is a reasonable risk of identity theft, fraud, or other unlawful conduct, persons required to provide notification under the Act must assist affected persons with obtaining certain credit information.

Specifically, upon request of an individual whose personal information was included in the breach, the covered person must provide, or arrange for the provision of, to each such individual and at no cost, consumer credit reports from at least one of the major credit reporting agencies beginning not later than 2 months following the discovery of a breach of security and continuing on a quarterly basis for a period of 2 years thereafter.

The new law would also impose heightened requirements to safeguard personal information on “information brokers”:

commercial entities whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.

These heightened requirements would include, among other things, a post-breach audit, procedures to verify accuracy of personal information, audit logs for information accessed or transmitted, and prohibitions on pretexting. 
 
Tags: , , , ,