The head of a Senate subcommittee on Tuesday called for an overhaul of the federal privacy laws that stipulate how government agencies collect, use and secure citizens' information.
Daniel Akaka (D-Hawaii), who chairs the Homeland Security and Governmental Affairs Committee's Oversight of Government Management Subcommittee, warned that the 1974 Privacy Act is rife with vague language that no longer provides adequate protections for citizens after nearly four decades of technological advances.
At Tuesday's hearing, Akaka revealed that he was one of dozens of lawmakers whose personal information was compromised in a major security breach involving the agency that oversees the Thrift Savings retirement program for federal workers.
He challenged Greg Long, executive director of the Federal Retirement Thrift Investment Board, about the organization's security posture. In the 2011 breach, which involved a subcontractor's desktop computer that fell prey to a cyberattack, the personal information of more than 123,000 federal workers was compromised, including more than 40,000 Social Security numbers.
Akaka chided Long for having failed to implement guidance that the Office of Management and Budget (OMB) had issued in 2007 directing departments and agencies to strengthen their security defenses and issue prompt notification to anyone whose information might be compromised in a data breach.
Long, in his defense, said that his agency had been hindered in acting on the guidance by scarce resources but that it had taken swift action to improve its security posture since.
He explained that the agency is undertaking a "significant modernization effort" to harden its defenses in areas such as its server environment. He told lawmakers that his staff had made significant progress on the security front, but insisted that the agency would remain vigilant in the face of ever-evolving threats.
"Even with all of this, we know that there are sophisticated attackers out there," Long said.
"We need to go back and redouble our efforts," he added. "We feel that we have been focused on IT security, but this is a wake-up call."
Though the Thrift Savings breach was among the more recent and high-profile security issues to hit the federal government, it was by no means an isolated incident. Akaka noted that implementation of the OMB guidelines has been highly uneven across the departments and agencies. Additionally, he cited the absence of a chief privacy officer at OMB as an example of a shortfall of executive leadership on issues of privacy and security.
Moreover, Akaka called for legislative measures to help protect citizens' personal information. For instance, he has offered an amendment to the comprehensive cybersecurity bill the full Senate is considering this week that would direct the Department of Homeland Security draft rules requiring agencies to notify consumers in the event of a breach.
He has also introduced a bill that would update the Privacy Act, the guiding statute governing how federal agencies use citizens' personal information, a law that he warned has fallen dangerously out of step with the way government authorities use modern technology.
"Unfortunately key pieces of this foundation have serious cracks that need to be fixed," he said.