Washington, D.C. – U.S. Senator Daniel K. Akaka (D-Hawaii) made the following remarks in the Congressional Record today urging his colleagues to support the Cybersecurity Act of 2012. The bill was later filibustered by Senate Republicans.
I rise today to urge my colleagues to allow an up-or-down vote on the Cybersecurity Act of 2012 (S. 3414), and to support my amendment to further strengthen the privacy safeguards in this important legislation.
National security experts from both parties have warned us about the very serious danger of a major cyber attack. It is not a matter of if, but when it will occur. As someone who witnessed the attack on Pearl Harbor and was in Washington, D.C. on September 11th, 2001, it is frightening to know that in our modern world where much of our critical infrastructure and security systems are controlled by computers, a successful attack on a critical system could lead to more loss of life, injury, and damage than those terrible events. We have a moral duty to act immediately. That is why I urge my colleagues to put partisan differences aside and pass the Cybersecurity Act of 2012 for the safety of our nation.
As a senior member of the Senate Homeland Security and Governmental Affairs Committee, I know that Chairman Lieberman and Ranking Member Collins have been working diligently for several years to get this bill to the floor for a vote. Commerce Committee Chairman Rockefeller and Intelligence Committee Chairman Feinstein have also been working tirelessly to advance this legislation. While I continue to support the even stronger critical infrastructure protections in the original cybersecurity bill introduced in February, I accept the revisions the bill sponsors have made to accommodate concerns raised by several of my colleagues.
I want thank the bill sponsors for working with me during this lengthy process to make improvements to the legislation. In order for our country to have robust cybersecurity capabilities, we must have a talented and well-trained cyber workforce. I am pleased that the bill incorporates my recommendations to strengthen Title IV of the bill, which provide the necessary tools to build a first class cyber workforce while maintaining employee and whistleblower protections. Furthermore, these workforce provisions establish a supervisory training program that will help managers properly evaluate their cyber employees.
I also want to commend the sponsors for the marked improvement of the underlying privacy and civil liberties protections in the bill. I collaborated with Senators Franken, Durbin, Wyden, Sanders, Coons, and Blumenthal to strengthen protections in the information sharing provisions of the bill, which allow companies to share cybersecurity information with each other and the government. We worked with privacy and civil liberties groups from across the political spectrum on a series of recommendations, most of which were accepted by the bill’s sponsors.
With these changes, the privacy and civil liberties protections in the Cybersecurity Act are much better than the protections contained in the Cyber Intelligence Sharing and Protection Act that recently passed the House, and the SECURE IT Act that has been introduced in the Senate. However, I am still pushing for further improvements to enhance the privacy and civil liberties protections in the Cybersecurity Act.
I have offered an amendment that seeks to strengthen the underlying legal framework protecting Americans’ personal information held in the computer systems that the Cybersecurity Act seeks to protect. My amendment will close loopholes in federal privacy requirements, centralize federal oversight of existing privacy protections, and reinstate basic remedies for privacy violations. My amendment, which reflects input from the bill’s sponsors, would make four small changes that would have significant benefits to American’s privacy and data security.
First, my amendment would address federal agencies’ uneven implementation of Office of Management Budget (OMB) guidance on preventing breaches of private information and notifying affected individuals when they do occur. In testimony this week before the Oversight of Government Management Subcommittee that I chair, we learned that the agency that oversees the Thrift Savings Plan (TSP) had no breach notification plan in place at the time of the recent breach involving 123,000 participating federal employees. Specifically, my amendment would strengthen data breach notification requirements for federal agencies by directing OMB to establish requirements for agencies to provide timely notification to individuals whose personal information was compromised. It would require agency heads to comply with the policies, and mandate that OMB report to Congress annually on agencies’ compliance.
Second, my amendment would provide basic transparency when agencies rely on commercial databases. Agencies frequently use private sector databases for law enforcement and other purposes that affect individuals’ rights, but this is not covered by federal privacy laws. My amendment would require agencies to conduct privacy impact assessments on agencies’ use of commercial sources of Americans’ private information so that individuals have appropriate protections such as access, notice, correction, and purpose limitations.
Third, my amendment would fill a hole in the government’s privacy leadership. Despite OMB’s mandate to oversee privacy policies government-wide, it lacks a Chief Privacy Officer. As a result, responsibility for protecting privacy is fragmented and agencies’ compliance with privacy-related statutes and regulations is inconsistent. Furthermore, the Administration lacks a representative on international privacy issues. My amendment would direct OMB to designate a central officer within OMB who would have authority over privacy across the government. This officer would also be responsible for assessing the privacy impact of the new information sharing provisions in the cybersecurity bill.
Finally, it would address the Supreme Court’s ruling restricting Privacy Act remedies earlier this year that has by many experts’ accounts rendered the Privacy Act toothless. In Federal Aviation Administration v. Cooper, the Social Security Administration violated the Privacy Act by sharing the plaintiff’s HIV status with other federal agencies. The Court concluded that the plaintiff could not recover damages for emotional distress because Privacy Act damages are limited to economic harm. My amendment would heed the call of scholars across the political spectrum to amend the Privacy Act and fix this decision. It would also clarify that in the event of a federal violation in the information sharing title of the bill, a victim would be entitled to recovery for the same types of non-economic harms.
My amendment will further strengthen the privacy and civil liberties protections in the cybersecurity bill while enhancing the security of personal information held by the federal government. I urge my colleagues to allow an up or down vote on the Cybersecurity Act, which is so critical to our nation’s safety, and to support my amendment.