Mr. AKAKA. Mr. President, I am introducing the "Data Theft Prevention Act of 2006" in response to concerns that arose following the recent theft of computer equipment from the home of a Department of Veterans Affairs employee in early May. I would like to thank my friends Senator Schumer, Senator Murray, and Senator Clinton for being original co-sponsors of this legislation.
The stolen equipment contained personal information on as many as 26.5 million veterans, active duty, National Guard and Reserve personnel. These files had been downloaded from VA databases over a period of three years by the employee without any authorization, then taken out of VA and placed on personal computer equipment at the employee’s home.
I am sure my colleagues will be as alarmed as I was when I tell them that this unauthorized removal of the personal information from the Department of Veterans Affairs was not an illegal act. In fact, I was told by VA’s Inspector General that the employee’s only misdeed was of a recently established VA Security Guideline, which only carries the weight of suggested employee behavior. Despite VA’s efforts to provide cyber security for the myriad of databases the Department controls, at the time of the theft there was no policy or law in place to prevent or deter an unauthorized act.
The legislation I am introducing today would establish federal penalties for anyone, whether a government employee or government contractor, who knowingly and without authorization views, uses, downloads, or removes any means of identification or individually identifiable health information that is in a federal database. Although the incident which triggered my present concerns occurred in VA, this legislation would apply to all federal departments and agencies. The legislation would also penalize those who would use any such personal information for criminal purposes.
Mr. President, this legislation is intended to compliment existing federal personal information security policies and to emphasize the need for all federal departments and agencies to review existing policies and clearly lay out who is and isn’t authorized to use, view, or download personal information.
This legislation would send the clear message that anyone who knowingly and without authorization removes personal or health information from a federal database does so at their own risk.
VA Secretary Nicholson testified last week before the House Government Reform Committee that he thought that there should be consideration of "putting some kind of teeth in an enforcement mechanism for the compromising and careless and negligent handling of personal information." This measure would do just that.
Mr. President, if enacted, violation of the provisions of this law could result in a fine of up to $100,000, imprisonment for one year, or both. These penalties are similar to those which currently apply to Internal Revenue Service employees who are responsible for breaches of tax information.
Given the potential impact to our veterans, active duty, National Guard and reserve personnel through identity theft and the incredible disruption and costs incurred by the government from the theft of the VA data, it is vital that we take steps to deter any future incidents and hold accountable those who are responsible.
Mr. President, I urge our colleagues to support this important legislation and to work with me for its prompt enactment. We must do all we can to prevent any further compromise of personal data in the hands of the government.
Mr. President, I ask unanimous consent that the text of this legislation be published in the Record at the end of my remarks.
