[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 516 Introduced in House (IH)]
110th CONGRESS
1st Session
H. R. 516
To increase the security of sensitive data maintained by the Federal
Government.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
January 17, 2007
Mrs. Jo Ann Davis of Virginia introduced the following bill; which was
referred to the Committee on Oversight and Government Reform
_______________________________________________________________________
A BILL
To increase the security of sensitive data maintained by the Federal
Government.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Agency Data Privacy
Protection Act''.
SEC. 2. DEFINITION OF SENSITIVE DATA.
In this Act:
(1) Sensitive data.--The term ``sensitive data'' includes
the following:
(A) Social security numbers.
(B) Financial records.
(C) Previous or current health records, including
hospital or treatment records of any kind, including
drug and alcohol rehabilitation records.
(D) Criminal records.
(E) Licenses.
(F) License denials, suspensions, or revocations.
(G) Tax returns.
(H) Information that has been specifically
authorized under criteria established by an Executive
order or an Act of Congress to be kept classified in
the interest of national defense or foreign policy.
(I) Personally identifiable information.
(2) Personally identifiable information.--The term
``personally identifiable information'' means any information,
in any form or medium, that relates to the past, present, or
future physical or mental health, predisposition, or condition
of an individual or the provision of health care to an
individual.
(3) Federal computer system.--The term ``Federal computer
system'' has the meaning given such term in section 20(d) of
the National Institute of Standards and Technology Act (15
U.S.C. 278g-3(d)).
(4) Agency.--The term ``agency'' has the meaning provided
in section 3502(1) of title 44, United States Code.
(5) Record.--The term ``record'' has the meaning provided
in section 552a(a) of title 5, United States Code.
SEC. 3. REQUIREMENT FOR USE OF ENCRYPTION FOR SENSITIVE DATA.
(a) Requirement for Encryption.--
(1) In general.--All sensitive data maintained by the
Federal Government, including such data maintained in Federal
computer systems, shall be secured by the use of the most
secure encryption standard recognized by the National Institute
of Standards and Technology.
(2) Updating required every 6 months.--Any sequence of
characters (known as an encryption key) used to secure an
encryption standard used on Federal computer systems shall be
changed every 6 months, at a minimum, to provide additional
security.
(3) Implementation.--The requirements of this subsection
shall be implemented not later than 6 months after the date of
the enactment of this Act.
(b) Federal Agency Responsibilities.--The head of each agency shall
be responsible for complying with the requirements of subsection (a)
within the agency. Such requirement shall be considered to be a
requirement of subchapter III of chapter 35 of title 44, United States
Code, for purposes of section 3544(a)(1)(B) of such title.
SEC. 4. REQUIREMENTS RELATING TO ACCESS BY AGENCY PERSONNEL TO
SENSITIVE DATA.
(a) On-Site Access.--No employee of the Federal government may have
access to sensitive data on Government property unless the employee has
received a security clearance at the ``secret'' level or higher and has
completed a financial disclosure form, in accordance with applicable
provisions of law and regulation.
(b) Off-Site Access.--
(1) Prohibition.--Sensitive data maintained by an agency
may not be transported or accessed from a location off
Government property unless a request for such transportation or
access is submitted and approved by the Inspector General of
the agency in accordance with paragraph (2).
(2) Procedures.--
(A) Deadline for approval or disapproval.--In the
case of any request submitted under paragraph (1) to an
Inspector General of an agency, the Inspector General
shall approve or disapprove the request within 2
business days after the date of submission of the
request.
(B) Limitation to 10,000 records.--If a request is
approved, the Inspector General shall limit the access
to not more than 10,000 records at a time.
(3) Encryption.--Any technology used to store, transport,
or access sensitive data during for purposes of off-site access
approved under this subsection shall be secured by the use of
the most secure encryption standard recognized by the National
Institute of Standards and Technology.
(c) Implementation.--The requirements of this subsection shall be
implemented not later than 6 months after the date of the enactment of
this Act.
SEC. 5. REQUIREMENTS RELATING TO GOVERNMENT CONTRACTORS INVOLVING
SENSITIVE DATA.
(a) Applicability to Government Contractors.--In entering into any
contract that may involve sensitive data in electronic or digital form
on 10,000 or more United States citizens, an agency shall require the
contractor and employees of the contractor to comply with the
requirements of sections 3 and 4 of this Act in the performance of the
contract, in the same manner as agencies and government employees
comply with such requirements.
(b) Implementation.--The requirements of this subsection shall be
implemented with respect to contracts entered into on or after the date
occurring 6 months after the date of the enactment of this Act.
<all>