Federal agencies that discover a data breach of personally identifiable information must report the breach to US-CERT (part of Department of Homeland Security) within one hour. The directive came from the July 12 memorandum issued by the Office of Management and Budget (OMB). According to Karen Evans, administrator of OMB’s Office of E-Government and Training, agencies should report breach incidents regardless of whether it is a confirmed or merely a suspected breach, and regardless of whether the information was held in electronic or in "physical" form.

The memorandum defines "personally identifiable information" as:

any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.

Although this is an encouraging requirement in the direction of government transparency, especially in light of some recent government data breaches, the one hour requirement may be little too rigid. If agencies are to conform to this, they would have little time to actually figure out what happened and make a meaningful report to US-CERT. By rushing the reporting, US-CERT may be swamped by premature and inaccurate data that it may not be able to distinguish real threats and breaches from mere mistakes.

According to Reps. Bachus (R-Ala.) and Pearce (R-N.M.), any proposal in Congress to limit consumers’ ability to unmask the identities of Web sites with whom they transact business would amount to a "radical change" that would interfere with consumers’ ability to adequately protect themselves. In a hearing entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing," the Representatives strongly opposed measures to limit consumers’ ability to query the WHOIS database maintaining information on every registered domain name.

Many of our readers know that the WHOIS database was originally intended as a tool for efficient communication with domain owners over domain or hosting technical issues. However, as time went on, other parties started using the database for a variety [of illegal] purposes, e.g. as a source of email addresses to be spammed, or physical addresses to be used as part of a scam. In addition, exposing private information in plain text and unprotected on the Internet makes many legitimate domain name owners somewhat nervous - having a name, a telephone number, a physical address, and list of other domain names owned by an individual can prove to be very useful to cybercriminals.

In April, ICANN (Internet Corporation for Assigned Names and Numbers) decided that it should do more to protect the privacy rights of domain name owners and an ICANN advisory task force recommended to ICANN’s board that it revamp its policy approach to WHOIS by limiting access to the data for technical administration purposes only. Intellectual property owners and government agencies have objected to this proposal, fearing that if adopted, it could hinder IP or law enforcement efforts. Even though no one at the hearing argued that law enforcement should not have unfettered access to the database, the issue was framed as whether consumer access to Whois might be bargained away in effort to strike a deal that would permit continued access to the data by private entities, such as IP owners and banks, who have come to depend on the data for their own enforcement efforts.

In addition, Rep. Bachus, with FTC and Department of Commerce support, indicated that he was worried that limiting consumer access to WHOIS could deprive consumers of their "first line of defense" in protecting themselves and thus forced to complain to the Federal Trade Commission which would be swamped with consumer complaints. The problem with this claim, however, is that 1) WHOIS information, especially in cases when potential fraud is involved, is very often inaccurate, and 2) consumers may lack the technical savvy discover to sift out the true identity of the registrant. Marc Rothernberg, executive director of the Electronic Privacy Information Center, suggested that WHOIS data should be treated similar to the department of motor vehicles records - not widely available to the public, but accessible in appropriate and somewhat narrowly defined circumstances.

See more information on the hearing and witness testimony.