House member weighing legislation in response to VA data breach

The leader of the House Veterans' Affairs Committee is preparing a package of legislative proposals in response to last month's massive data breach at the Veterans Affairs Department. If successful, the proposals could affect the enforcement of IT policies across the government.

While VA continues to review its policies for information security and information technology management, Rep. Steve Buyer, R-Ind., chairman of the House panel, said he is considering various options that could include changes to the law governing federal information security, elevating the chief information officer position to an undersecretary level and tying employee compliance with IT policies to performance reviews.

At a hearing Wednesday on the VA's IT organizational structure, Buyer said the proposal also could include a measure prohibiting the Defense Department and the VA from using Society Security numbers as personal identifiers and a directive ordering the VA secretary to go ahead with a plan to provide veterans with free credit monitoring. Such a directive would allow the department to circumvent a federal court order barring it from publicizing the offer.

Buyer said he has already spoken to Rep. Tom Davis, R-Va., chairman of the House Government Reform Committee, about making changes to the 2002 Federal Information Security Management Act.

A spokesman for the Government Reform Committee said Monday that members are looking to include specific protocols for the disclosure of data breaches, including the speed with which breaches should be revealed.

In light of the recent disclosure that a company in India subcontracting with the VA threatened to release the medical information of 30,000 veterans, Buyer said he also wants to consider measures regulating offshore contracting and subcontracting.

VA Acting CIO Robert Howard said a measure giving the CIO the ability to tie an employee's performance review -- and thus merit-based bonus pay -- to IT compliance, would be a good mechanism for enforcing security "that ought to be put in place."

Two former VA chief information officers, Robert McFarland and John Gauss, said they believe elevating the agency's CIO to the position of an undersecretary would give technology issues greater prominence within the organization.

"The infrastructure that moves the VA is an IT infrastructure," said McFarland, who left the department earlier this year. "[Elevating the CIO to the position of an undersecretary] would give the CIO an equal seat at the table with the main administration."

McFarland said previous experiences at the VA prove that tying merit bonuses to IT security works. "People's paychecks would be affected," McFarland said.

Buyer said he hopes to put forth the legislative package in the next two or three weeks, hold a markup by the third week of July and deliver it to the House floor prior to the August recess.

Acknowledging that the package will cross the jurisdictions of several other committees, including the House Government Reform Committee, Buyer said the schedule for the legislation is very ambitious.

"What we're working on here is so important, I don't want a timeline to drive the substance," Buyer said. "I don't want this package delayed."