The head of a Senate subcommittee on Tuesday called for an overhaul of \n\nthe federal privacy laws that stipulate how government agencies collect, use and secure citizens' information.\n\nDaniel Akaka (D-Hawaii), who chairs the Homeland Security and Governmental Affairs Committee's Oversight of Government Management \n\nSubcommittee, warned that the 1974 Privacy Act is rife with vague language that no longer provides adequate protections for citizens after \n\nnearly four decades of technological advances.At Tuesday's hearing, Akaka revealed that he was one of dozens of lawmakers whose personal information was compromised in a major security breach involving the agency \n\nthat oversees the Thrift Savings retirement program for federal workers.He challenged Greg Long, executive director of the Federal Retirement Thrift Investment Board, about the organization's security posture. In \n\nthe 2011 breach, which involved a subcontractor's desktop computer that fell prey to a cyberattack, the personal information of more than \n\n123,000 federal workers was compromised, including more than 40,000 Social Security numbers.Akaka chided Long for having failed to implement guidance that the Office of Management and Budget (OMB) had issued in 2007 directing \n\ndepartments and agencies to strengthen their security defenses and issue prompt notification to anyone whose information might be \n\ncompromised in a data breach.Long, in his defense, said that his agency had been hindered in acting on the guidance by scarce resources but that it had taken swift action \n\nto improve its security posture since.He explained that the agency is undertaking a "significant modernization effort" to harden its defenses in areas such as its server \n\nenvironment. He told lawmakers that his staff had made significant progress on the security front, but insisted that the agency would remain \n\nvigilant in the face of ever-evolving threats."Even with all of this, we know that there are sophisticated attackers out there," Long said."We need to go back and redouble our efforts," he added. "We feel that we have been focused on IT security, but this is a wake-up call."Though the Thrift Savings breach was among the more recent and high-profile security issues to hit the federal government, it was by no \n\nmeans an isolated incident. Akaka noted that implementation of the OMB guidelines has been highly uneven across the departments and \n\nagencies. Additionally, he cited the absence of a chief privacy officer at OMB as an example of a shortfall of executive leadership on issues of \n\nprivacy and security.Moreover, Akaka called for legislative measures to help protect citizens' personal information. For instance, he has offered an amendment to \n\nthe comprehensive cybersecurity bill the full Senate is considering this week that would direct the Department of Homeland Security draft rules requiring agencies to notify \n\nconsumers in the event of a breach. He has also introduced a bill that would update the Privacy Act, the guiding statute governing how federal agencies use citizens' personal \n\ninformation, a law that he warned has fallen dangerously out of step with the way government authorities use modern technology."Unfortunately key pieces of this foundation have serious cracks that need to be fixed," he said.For instance, Akaka noted limitations on individuals' right to sue government entities for damages for causes other than economic harm \n\nunder the Privacy Act. That issue came to light in a U.S. Supreme Court case earlier this year when the high court ruled against a plaintiff whose \n\nHIV status had been shared with other agencies by the Social Security Administration. The plaintiff had sued for damages claiming emotional \n\ndistress.Consumer advocacy groups such as the American Civil Liberties Union have argued that the court's ruling in Federal Aviation \n\nAdministration vs. Cooper was a major blow against citizens' protections from privacy violations at the hands of their government."By many experts' accounts, this decision rendered the act toothless," Akaka said.Akaka also pointed out what he called a loophole in the Privacy Act that exempts federal agencies' use of databases maintained by firms in \n\nthe private sector, a common practice among law enforcement authorities and other government entities."We should require privacy impact assessments on agencies' use of commercial sources of Americans' private information," he said. "This \n\nwould provide basic transparency of agencies' use of commercial databases, so that individuals have appropriate protections such as access, \n\nnotice, correction and purpose limitations."Greg Wilshusen, director of information security issues at the Government Accountability Office, testified that agencies should develop and \n\nadhere to certain best practices for collecting and using personal information that would curb the privacy risks for citizens, similar to those that \n\nleading Internet companies have been developing in the private sector. For instance, Wilshusen recommended that government organizations \n\nconfine the amount of information they collect to a specific program, and place restrictions on the duration that that information can be \n\nretained."If federal agencies are collecting information for a stated purpose, once that purpose has been achieved, if they continue to retain that \n\ninformation indefinitely, to no other particular use, then that -- potentially, if the appropriate security controls are not placed over that \n\ninformation, could be subject to risk of unauthorized disclosure to someone who might be able to break into their systems or gain access to \n\nthat information," he said. "So the principle is just for as long as you need the information, keep it, protect it. Once that need no longer exists, \n\nthen get rid of it. Delete it."Wilshusen also described the alarming volume and increase in the number of security breaches involving personally identifiable information \n\n(PII) in recent years as the government's digital infrastructure expands and comes under more frequent attack. In 2010, federal agencies reported just over 13,000 security incidents involving personal information. Last year, that number spiked 19 \n\npercent as agencies reported 15,560 such incidents.The GAO is recommending that federal agencies apply consistent standards to their data-collection programs and their use of personal \n\ninformation, as well as taking more steps to inform the public about privacy protections and limit the use of PII.Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and \n\non Google +.