Veterans Benefits, Health Care, and Information Technology Act of 2006, Tit. IX, Pub. L. No. 109-461 (Dec. 22, 2006) (the Veterans Affairs Information Security Act of 2006), codified at 38 U.S.C. §§5722 et seq.
The Act requires the Veterans Administration (now the Department of Veterans Affairs) (VA) to implement agency-wide information security procedures to protect the VA's "sensitive personal information" (SPI) and VA information systems. The Act was enacted to respond to the May 2006 breach of the personal data of 26.5 million veterans caused by the theft of a VA employee’s hard drive from his home.
Statutory provisions Edit
Pursuant to the Act, the VA's information security program is to provide for the development and maintenance of cost effective security controls to protect VA information, in any medium or format, and VA information systems. The information security program is required to include the following elements:
- periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of VA information and information systems;
- policies and procedures based on risk assessments that cost-effectively reduce security risks and ensure information security;
- implementation of security controls to protect the confidentiality, integrity, and availability of VA information and information systems;
- plans for security for networks, facilities, systems, or groups of information systems;
- annual security awareness training for employees and contractors and users of VA information and information systems;
- periodic testing of security controls;
- a process for remedial actions;
- procedures of detecting, reporting, and responding to security incidents; and
- plans and procedures to ensure continuity of operations.
Additionally, the VA Secretary is directed to comply with FISMA, and other security requirements issued by NIST and OMB. The law also establishes specific information security responsibilities for the VA Secretary, information technology and information security officials, VA information owners, other key officials, users of VA information systems, and the VA Inspector General.
Reporting and risk analysis requirements Edit
The Act requires that in the event of a "data breach" of sensitive personal information processed or maintained by the VA Secretary, the Secretary must ensure that as soon as possible after discovery that either a non-VA entity or the VA’s Inspector General conduct an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information.
Based upon the risk analysis, if the Secretary determines that a reasonable risk exists of the potential misuse of sensitive personal information, the Secretary must provide credit protection services in accordance with regulations issued by the VA Secretary.
The VA Secretary is required to report to the Veterans Committees the findings of the independent risk analysis for each data breach, the Secretary’s determination regarding the risk for potential misuse of sensitive personal data, and the provision of credit protection services. If the breach involved the sensitive personal data of DOD civilian or enlisted personnel the Secretary must also report to the Armed Services Committees.
In addition, quarterly reports are to be submitted by the VA Secretary to the Veterans Committees of Congress on any data breach of sensitive personal information processed or maintained by the VA during that quarter. With respect to the breach of SPI that the VA Secretary determines to be significant, notice must be provided promptly following the discovery of such data breach to the Veterans Committees, and if the breach involved the SPI of DOD civilian or enlisted personnel also to the Armed Service Committees.
The Act also requires the VA to include data security requirements in all contracts with private-sector service providers that require access to sensitive personal information. All contracts involving access to sensitive personal information must include a prohibition of the disclosure of such information unless the disclosure is lawful and expressly authorized under the contract; and the condition that the contractor or subcontractor notify the Secretary of any data breach of such information. In addition, each contract must provide for liquidated damages to be paid by the contractor to the Secretary in the event of a data breach with respect to any sensitive personal information, and that money shall be made available exclusively for the purpose of providing credit protection services.
The Act requires the Secretary of the VA within 180 days of enactment (by June 22, 2007) to issue interim regulations concerning notification, data mining, fraud alerts, data breach analysis, credit monitoring, identity theft insurance, and credit protection services.
Interim final regulations were issued by the VA Deputy Secretary on June 22, 2007 to address data breach security regarding sensitive personal information processed or maintained by the VA. The final regulations, issued April 2008, adopted the interim rule without change. The regulations do not supersede the requirements imposed by other laws such as the Privacy Act of 1974, the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act of 1970, and their implementing rules.
- ↑ "The term 'sensitive personal information', with respect to an individual, means any information about the individual maintained by an agency, including the following: (A) Education, financial transactions, medical history, and criminal or employment history. (B) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records." Pub. L. No. 109-461, §902.
- ↑ See Sidath Viranga Panangala, Department of Veterans Affairs: Information Security and Information Technology Management Reorganization (Aug. 14, 2006) (CRS Report RL33612) (full-text).
- ↑ 38 U.S.C. §5722.
- ↑ "Data breach means the loss or theft of, or other unauthorized access to, other than an unauthorized access incidental to the scope of employment, data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data." 38 U.S.C. §5727(4).
- ↑ 38 U.S.C. §5724(a)(1).
- ↑ Id. §5724(a)(2).
- ↑ Id. §5724(c)(1).
- ↑ Id. §5724(c)(2).
- ↑ Id. §5726.
- ↑ Id. §5724(b).
- ↑ Id. §5725.
- ↑ Id. §5724(b).
- ↑ 72 Fed. Reg. 34395 (2007), 38 C.F.R. § 75, Subpart B. The interim final regulations implement the sections of Pub. L. No. 109-461 on data breaches, credit protection services, and reporting requirements. A separate rulemaking will be commenced to issue regulations to implement sections of Pub. L. No. 109-461 requiring a VA information security programand establishing information security responsibilities. Id.
- ↑ 73 Fed. Reg. 19747 (Apr. 11, 2008).