VA panel to move data breach bill

Measure contains notification requirements and language on credit-monitoring services.

After five full committee hearings on a significant data breach at the Veterans Affairs Department, the House Veterans Affairs Committee plans to debate legislation Thursday in hopes of preventing a similar security problem.

The committee took comments on a draft of the bill during a hearing on Tuesday.

The measure proposes notification requirements for people who could be impacted by security breaches, credit-monitoring services for victims, and investigations after any breaches to determine risks of identity theft.

Chairman Steve Buyer, R-Ind., also wants to alter the Federal Information Security Management Act to define the responsibilities of an agency secretary and undersecretary on notification of security breaches.

The draft legislation would elevate the VA's chief information officer to Cabinet status as undersecretary for information security. The undersecretary would be given three deputy undersecretaries for security, operations management and policy planning.

Former top security officers at the VA offered feedback on the bill, which was first discussed in June.

John Gauss, who served as CIO until 2003, said, "As an undersecretary, the CIO will have a seat at the table where the real decisions are made."

"Without the ability to enforce, authority doesn't mean anything," said Robert McFarland, who left as CIO in May, after the disclosure of a breach that could have affected 26.5 million veterans and active-duty military personnel.

Gauss recommended that the bill be implemented within 90 to 180 days so improvements to cyber security do not get delayed and or endlessly studied without action. "The advocates of the status quo will argue that speed creates too much risk," Gauss said, but the security risk of doing nothing is greater.

He also recommended that the VA look for an undersecretary who has technology qualifications. "I believe this person must be a certified information systems security professional," Gauss said. To meet his proposed timetable and qualifications, he said the VA should be given hiring authority similar to the Homeland Security Department.

"If the VA uses business-as-usual hiring processes, it will take months or even years to properly staff the offices established by this legislation," Gauss said.

McFarland said the VA personnel office should be given the direction to hire outside personnel services and to run ads on Monster.com to get candidates with the necessary skills.

He said he had asked to try such practices during his tenure and was told that was not the way the agency did business. "One of the most frustrating parts of my two-and-a-half years there was [the hiring] process," McFarland told committee members.

Buyer said he tried to incorporate some provisions of competing House data-security bills into his legislation. Rep. Shelley Moore Capito, R-W.Va., has sponsored a bill that includes felony criminal penalties with two- to five-year prison sentences for employees who remove sensitive data.

Buyer told her that idea is outside his jurisdiction and that the Judiciary Committee would have to handle it.

VA Deputy Secretary Gordon Mansfield said that the agency will continue to work with committee staff in an effort to make its views known.

Because officials at the FBI and the VA inspector general's office are now highly confident files were not compromised as a result of the early May incident, some pieces of legislation that had been proposed are no longer needed, Mansfield said.

The Office of Management and Budget on Tuesday withdrew its request for $160.5 million in additional funding for identity theft protection for those with data included in the breach.

Daniel Pulliam of Government Executive contributed to this report.