The Cyber Security Industry Alliance — an industry consortium which includes security vendors including CA, F-Secure, ISS, Qualys, RSA, SurfControl and Symantec — is officially backing the re-introduction of a federal data breach act in Congress.Representative Tom Davis (R-VA), the ranking member of the House Oversight and Government Reform Committee, re-introduced the Federal Agency Data Breach Protection Act on May 3. Like previous attempts to establish a uniform set of requirements for government agencies who experience data incidents through which sensitive information is exposed, the latest stab at legislation outlines policies, procedures, and standards for federal bureaus to follow in the event of a problem. “Over the past two years, there have been a number of unfortunate data breaches at federal agencies, most notably at the Department of Veterans Affairs,” Davis said in introducing the bill. “While some agencies have improved their overall security posture, there is still much more work to be done to ensure that sensitive data is better protected. Enactment of this legislation will make the U.S. government more accountable to its citizens through a stronger notification system that reduces the possibility of further loss of sensitive personal information.”The latest version of the bill also proposes to arm federal sector CIOs and CISOs with the authority to enforce the regulations under the Federal Information Security Management Act (FISMA). The bill also attempts to cover protection and tracking of government-owned hardware containing sensitive data. Davis also introduced the legislation in the 109th Congress last year.“CSIA believes that protecting personal information, reducing identity theft, and securing sensitive data are all critical issues that directly impact economic growth,” Tim Bennett, president of the CSIA, said in a statement. “We strongly support the passage of [this] bill which gives agency CIOs and CISOs the much-needed authority to enforce data breach notification requirements.” “Whether held by either the government or a private sector entity, citizens absolutely have the right to know when their sensitive personal information has been compromised, so that they can take the necessary steps to prevent further damage,” Bennett said. “This reiterates the need for Congress to enact a comprehensive national law that secures sensitive personal information no matter where it is held, either by the government or private sector, and prevents further data breaches and address leaks once they occur.”CSIA officials pledged to help Congress move the legislation forward over the next several weeks.Many federal security experts agree that the government must start doing a better job of protecting its IT assets if it is to begin establishing similar laws that govern private-sector companies’ handling of sensitive data, just as many individual states already have. “Our primary role in improving the data security issue is to clean up our own house, and we’re aggressively engaged in that work; I’m proud of effort underway, which haasn’t necessarily surfaced publicly,” said Robert C. Cresanti, the chief privacy officer and undersecretary of Commerce for Technology. “We need an aggressive review of all the data the government keeps and collects, and to question the need for use of personal identifiable information that may have been used out of convenience before.”“We’re reforming the way we look at managing identity, and what the essential elements of that process are,” Cresanti told InfoWorld in a recent interview. “We’re looking more closely at what we’re collecting, how it is stored, why we need it, and what we’re doing to protect it, and I think we’re doing a lot better job on those fronts already.” Security