House Report 109-651 - VETERANS IDENTITY AND CREDIT SECURITY ACT OF 2006

[House Report 109-651]
[From the U.S. Government Publishing Office]

109th Congress Rept. 109-651
HOUSE OF REPRESENTATIVES
2d Session Part 1

======================================================================

VETERANS IDENTITY AND CREDIT SECURITY ACT OF 2006

_______

September 13, 2006.--Ordered to be printed

_______

Mr. Buyer, from the Committee on Veterans' Affairs, submitted the
following

R E P O R T

[To accompany H.R. 5835]

[Including cost estimate of the Congressional Budget Office]

The Committee on Veterans' Affairs, to whom was referred the
bill (H.R. 5835) to amend title 38, United States Code, to
improve information management within the Department of
Veterans Affairs, and for other purposes, having considered the
same, report favorably thereon with an amendment and recommend
that the bill as amended do pass.

The amendment is as follows:
Strike all after the enacting clause and insert the
following:

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Veterans Identity and Credit Security
Act of 2006''.

SEC. 2. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.

(a) Authority of Director of Office of Management and Budget to
Establish Data Breach Policies.--Section 3543(a) of title 44, United
States Code, is amended--
(1) by striking ``and'' at the end of paragraph (7);
(2) by striking the period and inserting ``; and'' at the end
of paragraph (8); and
(3) by adding at the end the following new paragraph:
``(9) establishing policies, procedures, and standards for
agencies to follow in the event of a breach of data security
involving the disclosure of sensitive personal information in
violation of section 552a of title 5, including a requirement
for timely notice to be given to those individuals whose
sensitive personal information could be compromised as a result
of such breach, except no notice shall be required if the
breach does not create a reasonable risk of identity theft,
fraud, or other unlawful conduct regarding such individual.''.
(b) Authority of Chief Information Officer to Enforce Data Breach
Policies.--Section 3544(a)(3) of title 44, United States Code, is
amended by inserting after ``authority to ensure compliance with'' the
following: ``and, to the extent determined necessary and explicitly
authorized by the head of the agency, to enforce''.
(c) Inclusion of Data Breach Notification in Agency Information
Security Programs.--Section 3544(b) of title 44, United States Code, is
amended--
(1) by striking ``and'' at the end of paragraph (7);
(2) by striking the period and inserting ``; and'' at the end
of paragraph (8); and
(3) by adding at the end the following new paragraph:
``(9) procedures for notifying individuals whose sensitive
personal information is compromised consistent with policies,
procedures, and standards established under section 3543(a)(9)
of this title.''.
(d) Sensitive Personal Information Definition.--Section 3542(b) of
title 44, United States Code, is amended by adding at the end the
following new paragraph:
``(4) The term `sensitive personal information' means any
information contained in a record, as defined in section
552a(4) of title 5.''.

SEC. 3. UNDER SECRETARY FOR INFORMATION SERVICES.

(a) Under Secretary.--Chapter 3 of title 38, United States Code, is
amended by inserting after section 307 the following new section:

``Sec. 307A. Under Secretary for Information Services

``(a) Under Secretary.--There is in the Department an Under Secretary
for Information Services, who is appointed by the President, by and
with the advice and consent of the Senate. The Under Secretary shall be
the head of the Office of Information Services and shall perform such
functions as the Secretary shall prescribe.
``(b) Service as Chief Information Officer.--Notwithstanding any
other provision of law, the Under Secretary for Information Services
shall serve as the Chief Information Officer of the Department under
section 310 of this title.''.
(b) Clerical Amendment.--The table of sections at the beginning of
such chapter is amended by inserting after the item relating to section
307 the following new item:

``307A. Under Secretary for Information Services.''.
(c) Conforming Amendment.--Section 308(b) of such title is amended by
striking paragraph (5) and redesignating paragraphs (6) through (11) as
paragraphs (5) through (10), respectively.

SEC. 4. DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY.

(a) Information Security.--Chapter 57 of title 38, United States
Code, is amended by adding at the end the following new subchapter:

``SUBCHAPTER III--INFORMATION SECURITY

``Sec. 5721. Definitions

``For the purposes of this subchapter:
``(1) The term `sensitive personal information' means the
name, address, or telephone number of an individual, in
combination with any of the following:
``(A) The Social Security number of the individual.
``(B) The date of birth of the individual.
``(C) Any information not available as part of the
public record regarding the individual's military
service or health.
``(D) Any financial account or other financial
information relating to the individual.
``(E) The driver's license number or equivalent State
identification number of the individual.
``(F) The deoxyribonucleic acid profile or other
unique biometric data of the individual, including the
fingerprint, voice print, retina or iris image, or
other unique physical representation of the individual.
``(2) The term `data breach' means the loss, theft, or other
unauthorized access to data containing sensitive personal
information, in electronic or printed form, that results in the
potential compromise of the confidentiality or integrity of the
data.
``(3) The term `data breach analysis' means the
identification of any misuse of sensitive personal information
involved in a data breach.
``(4) The term `fraud resolution services' means services to
assist an individual in the process of recovering and
rehabilitating the credit of the individual after the
individual experiences identity theft.
``(5) The term `identity theft' has the meaning given such
term under section 603 of the Fair Credit Reporting Act (15
U.S.C. 1681a).
``(6) The term `identity theft insurance' means any insurance
policy that pays benefits for costs, including travel costs,
notary fees, and postage costs, lost wages, and legal fees and
expenses associated with the identity theft of the insured
individual.
``(7) The term `principal credit reporting agency' means a
consumer reporting agency as described in section 603(p) of the
Fair Credit Reporting Act (15 U.S.C. 1681a(p)).

``Sec. 5722. Office of the Under Secretary for Information Services

``(a) Deputy Under Secretaries.--The Office of the Under Secretary
for Information Services shall consist of the following:
``(1) The Deputy Under Secretary for Information Services for
Security, who shall serve as the Senior Information Security
Officer of the Department.
``(2) The Deputy Under Secretary for Information Services for
Operations and Management.
``(3) The Deputy Under Secretary for Information Services for
Policy and Planning.
``(b) Appointments.--Appointments under subsection (a) shall be made
by the Secretary, notwithstanding the limitations of section 709 of
this title.
``(c) Qualifications.--At least one of positions established and
filled under subsection (a) shall be filled by an individual who has at
least five years of continuous service in the Federal civil service in
the executive branch immediately preceding the appointment of the
individual as a Deputy Under Secretary. For purposes of determining
such continuous service of an individual, there shall be excluded any
service by such individual in a position--
``(1) of a confidential, policy-determining, policy-making,
or policy-advocating character;
``(2) in which such individual served as a noncareer
appointee in the Senior Executive Service, as such term is
defined in section 3132(a)(7) of title 5; or
``(3) to which such individual was appointed by the
President.

``Sec. 5723. Information security management

``(a) Responsibilities of Chief Information Officer.--To support the
economical, efficient, and effective execution of subtitle III of
chapter 35 of title 44, and policies and plans of the Department, the
Secretary shall ensure that the Chief Information Officer of the
Department has the authority and control necessary to develop, approve,
implement, integrate, and oversee the policies, procedures, processes,
activities, and systems of the Department relating to that subtitle,
including the management of all related mission applications,
information resources, personnel, and infrastructure.
``(b) Annual Compliance Report.--Not later than March 1 of each year,
the Secretary shall submit to the Committees on Veterans' Affairs of
the Senate and House of Representatives, the Committee on Government
Reform of the House of Representatives, and the Committee on Homeland
Security and Governmental Affairs of the Senate, a report on the
Department's compliance with subtitle III of chapter 35 of title 44.
The information in such report shall be displayed in the aggregate and
separately for each Administration, office, and facility of the
Department.
``(c) Reports to Secretary of Compliance Deficiencies.--(1) At least
once every month, the Chief Information Officer shall report to the
Secretary any deficiency in the compliance with subtitle III of chapter
35 of title 44 of the Department or any Administration, office, or
facility of the Department.
``(2) The Chief Information Officer shall immediately report to the
Secretary any significant deficiency in such compliance.
``(d) Data Breaches.--(1) The Chief Information Officer shall
immediately provide notice to the Secretary of any data breach.
``(2) Immediately after receiving notice of a data breach under
paragraph (1), the Secretary shall provide notice of such breach to the
Director of the Office of Management and Budget, the Inspector General
of the Department, and, if appropriate, the Federal Trade Commission
and the United States Secret Service.
``(e) Budgetary Matters.--When the budget for any fiscal year is
submitted by the President to Congress under section 1105 of title 31,
the Secretary shall submit to Congress a report that identifies amounts
requested for Department implementation and remediation of and
compliance with this subchapter and subtitle III of chapter 35 of title
44. The report shall set forth those amounts both for each
Administration within the Department and for the Department in the
aggregate and shall identify, for each such amount, how that amount is
aligned with and supports such implementation and compliance.

``Sec. 5724. Congressional reporting and notification of data breaches

``(a) Quarterly Reports.--(1) Not later than 30 days after the last
day of a fiscal quarter, the Secretary shall submit to the Committees
on Veterans' Affairs of the Senate and House of Representatives a
report on any data breach with respect to sensitive personal
information processed or maintained by the Department that occurred
during that quarter.
``(2) Each report submitted under paragraph (1) shall identify, for
each data breach covered by the report, the Administration and facility
of the Department responsible for processing or maintaining the
sensitive personal information involved in the data breach.
``(b) Notification of Significant Data Breaches.--(1) In the event of
a data breach with respect to sensitive personal information processed
or maintained by the Secretary that the Secretary determines is
significant, the Secretary shall provide notice of such breach to the
Committees on Veterans' Affairs of the Senate and House of
Representatives.
``(2) Notice under paragraph (1) shall be provided promptly following
the discovery of such a data breach and the implementation of any
measures necessary to determine the scope of the breach, prevent any
further breach or unauthorized disclosures, and reasonably restore the
integrity of the data system.

``Sec. 5725. Data breaches

``(a) Independent Risk Analysis.--(1) In the event of a data breach
with respect to sensitive personal information that is processed or
maintained by the Secretary, the Secretary shall ensure that, as soon
as possible after the data breach, a non-Department entity conducts an
independent risk analysis of the data breach to determine the level of
risk associated with the data breach for the potential misuse of any
sensitive personal information involved in the data breach.
``(2) If the Secretary determines, based on the findings of a risk
analysis conducted under paragraph (1), that a reasonable risk exists
for the potential misuse of sensitive information involved in a data
breach, the Secretary shall provide credit protection services in
accordance with section 5726 of this title.
``(b) Notification.--(1) In the event of a data breach with respect
to sensitive personal information that is processed or maintained by
the Secretary, the Secretary shall provide to an individual whose
sensitive personal information is involved in that breach notice of the
data breach--
``(A) in writing; or
``(B) by email, if--
``(i) the Department's primary method of
communication with the individual is by email; and
``(ii) the individual has consented to receive such
notification.
``(2) Notice provided under paragraph (1) shall--
``(A) describe the circumstances of the data breach and the
risk that the breach could lead to misuse, including identity
theft, involving the sensitive personal information of the
individual;
``(B) describe the specific types of sensitive personal
information that was compromised as a part of the data breach;
``(C) describe the actions the Department is taking to remedy
the data breach;
``(D) inform the individual that the individual may request a
fraud alert and credit security freeze under this section;
``(E) clearly explain the advantages and disadvantages to the
individual of receiving fraud alerts and credit security
freezes under this section; and
``(F) includes such other information as the Secretary
determines is appropriate.
``(3) The notice required under paragraph (1) shall be provided
promptly following the discovery of a data breach and the
implementation of any measures necessary to determine the scope of the
breach, prevent any further breach or unauthorized disclosures, and
reasonably restore the integrity of the data system.
``(c) Report.--For each data breach with respect to sensitive
personal information processed or maintained by the Secretary, the
Secretary shall promptly submit to the Committees on Veterans' Affairs
of the Senate and House of Representatives a report containing the
findings of any independent risk analysis conducted under subsection
(a)(1), any determination of the Secretary under subsection (a)(2), and
a description of any credit protection services provided under section
5726 of this title.
``(d) Final Determination.--Notwithstanding sections 511 and 7104(a)
of this title, any determination of the Secretary under subsection
(a)(2) with respect to the reasonable risk for the potential misuse of
sensitive information involved in a data breach is final and conclusive
and may not be reviewed by any other official, administrative body, or
court, whether by an action in the nature of mandamus or otherwise.
``(e) Fraud Alerts.--(1) In the event of a data breach with respect
to sensitive personal information that is processed or maintained by
the Secretary, the Secretary shall arrange, upon the request of an
individual whose sensitive personal information is involved in the
breach to a principal credit reporting agency with which the Secretary
has entered into a contract under section 5726(d) and at no cost to the
individual, for the principal credit reporting agency to provide fraud
alert services for that individual for a period of not less than one
year, beginning on the date of such request, unless the individual
requests that such fraud alert be removed before the end of such
period, and the agency receives appropriate proof of the identity of
the individual for such purpose.
``(2) The Secretary shall arrange for each principal credit reporting
agency referred to in paragraph (1) to provide any alert requested
under such subsection in the file of the individual along with any
credit score generated in using that file, for a period of not less
than one year, beginning on the date of such request, unless the
individual requests that such fraud alert be removed before the end of
such period, and the agency receives appropriate proof of the identity
of the individual for such purpose.
``(f) Credit Security Freeze.--(1) In the event of a data breach with
respect to sensitive personal information that is processed or
maintained by the Secretary, the Secretary shall arrange, upon the
request of an individual whose sensitive personal information is
involved in the breach and at no cost to the individual, for each
principal credit reporting agency to apply a security freeze to the
file of that individual for a period of not less than one year,
beginning on the date of such request, unless the individual requests
that such security freeze be removed before the end of such period, and
the agency receives appropriate proof of the identity of the individual
for such purpose.
``(2) The Secretary shall arrange for a principal credit reporting
agency applying a security freeze under paragraph (1)--
``(A) to send a written confirmation of the security freeze
to the individual within five business days of applying the
freeze;
``(B) to refer the information regarding the security freeze
to other consumer reporting agencies;
``(C) to provide the individual with a unique personal
identification number or password to be used by the individual
when providing authorization for the release of the
individual's credit for a specific party or period of time; and
``(D) upon the request of the individual, to temporarily lift
the freeze for a period of time specified by the individual,
beginning not later than three business days after the date on
which the agency receives the request.

``Sec. 5726. Provision of credit protection services

``(a) Covered Individual.--For purposes of this section, a covered
individual is an individual whose sensitive personal information that
is processed or maintained by the Department (or any third-party entity
acting on behalf of the Department) is involved, on or after August 1,
2005, in a data breach for which the Secretary determines a reasonable
risk exists for the potential misuse of sensitive personal information
under section 5725(a)(2) of this title.
``(b) Notification.--(1) In addition to any notice required under
subsection 5725(b) of this title, the Secretary shall provide to a
covered individual notice in writing that--
``(A) the individual may request credit protection services
under this section;
``(B) clearly explains the advantages and disadvantages to
the individual of receiving credit protection services under
this section;
``(C) includes a notice of which principal credit reporting
agency the Secretary has entered into a contract with under
subsection (d), and information about requesting services
through that agency;
``(D) describes actions the individual can or should take to
reduce the risk of identity theft; and
``(E) includes such other information as the Secretary
determines is appropriate.
``(2) The notice required under paragraph (1) shall be made as
promptly as possible and without unreasonable delay following the
discovery of a data breach for which the Secretary determines a
reasonable risk exists for the potential misuse of sensitive personal
information under section 5725(a)(2) of this title and the
implementation of any measures necessary to determine the scope of the
breach, prevent any further breach or unauthorized disclosures, and
reasonably restore the integrity of the data system.
``(3) The Secretary shall ensure that each notification under
paragraph (1) includes a form or other means for readily requesting the
credit protection services under this section. Such form or other means
may include a telephone number, email address, or Internet website
address.
``(c) Availability of Services Through Other Government Agencies.--If
a service required to be provided under this section is available to a
covered individual through another department or agency of the
Government, the Secretary and the head of that department or agency may
enter into an agreement under which the head of that department or
agency agrees to provide that service to the covered individual.
``(d) Contract With Credit Reporting Agency.--Subject to the
availability of appropriations and notwithstanding any other provision
of law, the Secretary shall enter into contracts or other agreements as
necessary with one or more principal credit reporting agencies in order
to ensure, in advance, the provision of credit protection services
under this section and fraud alerts and security freezes under section
5725 of this title. Any such contract or agreement may include
provisions for the Secretary to pay the expenses of such a credit
reporting agency for the provision of such services.
``(e) Data Breach Analysis.--The Secretary shall arrange, upon the
request of a covered individual and at no cost to the individual, to
provide data breach analysis for the individual for a period of not
less than one year, beginning on the date of such request.
``(f) Provision of Credit Monitoring Services and Identity Theft
Insurance.--During the one-year period beginning on the date on which
the Secretary notifies a covered individual that the individual's
sensitive personal information is involved in a data breach, the
Secretary shall arrange, upon the request of the individual and without
charge to the individual, for the provision of credit monitoring
services to the individual. Credit monitoring services under this
subsection shall include each of the following:
``(1) One copy of the credit report of the individual every
three months.
``(2) Fraud resolution services for the individual.
``(3) Identity theft insurance in a coverage amount that does
not exceed $30,000 in aggregate liability for the insured.

``Sec. 5727. Contracts for data processing or maintenance

``(a) Contract Requirements.--If the Secretary enters into a contract
for the performance of any Department function that requires access to
sensitive personal information, the Secretary shall require as a
condition of the contract that--
``(1) the contractor shall not, directly or through an
affiliate of the contractor, disclose such information to any
other person unless the disclosure is lawful and is expressly
permitted under the contract;
``(2) the contractor, or any subcontractor for a subcontract
of the contract, shall promptly notify the Secretary of any
data breach that occurs with respect to such information.
``(b) Liquidated Damages.--Each contract subject to the requirements
of subsection (a) shall provide for liquidated damages to be paid by
the contractor to the Secretary in the event of a data breach with
respect to any sensitive personal information processed or maintained
by the contractor or any subcontractor under that contract.
``(c) Provision of Credit Protection Services.--Any amount collected
by the Secretary under subsection (b) shall be deposited in or credited
to the Department account from which the contractor was paid and shall
remain available for obligation without fiscal year limitation
exclusively for the purpose of providing credit protection services in
accordance with section 5726 of this title.

``Sec. 5728. Authorization of appropriations

``There are authorized to be appropriated to carry out this
subchapter such sums as may be necessary for each fiscal year.''.
(b) Clerical Amendment.--The table of sections at the beginning of
such chapter is amended by adding at the end the following new items:

``Subchapter III--Information Security

``5721. Definitions.
``5722. Office of the Under Secretary for Information Services.
``5723. Information security management.
``5724. Congressional reporting and notification of data breaches.
``5725. Data breaches.
``5726. Provision of credit protection services.
``5727. Contracts for data processing or maintenance.
``5728. Authorization of appropriations.''.

(c) Deadline for Regulations.--Not later than 60 days after the date
of the enactment of this Act, the Secretary of Veterans Affairs shall
publish regulations to carry out subchapter III of chapter 57 of title
38, United States Code, as added by subsection (a).

SEC. 5. REPORT ON FEASIBILITY OF USING PERSONAL IDENTIFICATION NUMBERS
FOR IDENTIFICATION.

Not later than 180 days after the date of the enactment of this Act,
the Secretary of Veterans Affairs shall submit to Congress a report
containing the assessment of the Secretary with respect to the
feasibility of using personal identification numbers instead of Social
Security numbers for the purpose of identifying individuals whose
sensitive personal information (as that term is defined in section 5721
of title 38, United States Code, as added by section 4) is processed or
maintained by the Secretary.

SEC. 6. DEADLINE FOR APPOINTMENTS.

(a) Deadline.--Not later than 180 days after the date of the
enactment of this Act--
(1) the President shall nominate an individual to serve as
the Under Secretary of Veterans Affairs for Information
Services under section 307A of title 38, United States Code, as
added by section 3; and
(2) the Secretary of Veterans Affairs shall appoint an
individual to serve as each of the Deputy Under Secretaries of
Veterans Affairs for Information Services under section 5722 of
such title, as added by section 4.
(b) Report.--Not later than 30 days after the date of the enactment
of this Act, and every 30 days thereafter until the appointments
described in subsection (a) are made, the Secretary of Veterans Affairs
shall submit to Congress a report describing the progress of such
appointments.

SEC. 7. INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM.

(a) Program Required.--Title 38, United States Code, is amended by
inserting after chapter 78 the following new chapter:

``CHAPTER 79--INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM

``Sec.
``7901. Programs; purpose.
``7902. Scholarship program.
``7903. Education debt reduction program.
``7904. Preferences in awarding financial assistance.
``7905. Requirement of honorable discharge for veterans receiving
assistance.
``7906. Regulations.
``7907. Termination.

``Sec. 7901. Programs; purpose

``(a) In General.--To encourage the recruitment and retention of
Department personnel who have the information security skills necessary
to meet Department requirements, the Secretary shall carry out programs
in accordance with this chapter to provide financial support for
education in computer science and electrical and computer engineering
at accredited institutions of higher education.
``(b) Types of Programs.--The programs authorized under this chapter
are as follows:
``(1) Scholarships for pursuit of doctoral degrees in
computer science and electrical and computer engineering at
accredited institutions of higher education.
``(2) Education debt reduction for Department personnel who
hold doctoral degrees in computer science and electrical and
computer engineering at accredited institutions of higher
education.

``Sec. 7902. Scholarship program

``(a) Authority.--(1) Subject to the availability of appropriations,
the Secretary shall establish a scholarship program under which the
Secretary shall, subject to subsection (d), provide financial
assistance in accordance with this section to a qualified person--
``(A) who is pursuing a doctoral degree in computer science
or electrical or computer engineering at an accredited
institution of higher education; and
``(B) who enters into an agreement with the Secretary as
described in subsection (b).
``(2)(A) Except as provided under subparagraph (B), the Secretary may
provide financial assistance under this section to an individual for up
to five years.
``(B) The Secretary may waive the limitation under subparagraph (A)
if the Secretary determines that such a waiver is appropriate.
``(3)(A) The Secretary may award up to five scholarships for any
academic year to individuals who did not receive assistance under this
section for the preceding academic year.
``(B) Not more than one scholarship awarded under subparagraph (A)
may be awarded to an individual who is an employee of the Department
when the scholarship is awarded.
``(b) Service Agreement for Scholarship Recipients.--(1) To receive
financial assistance under this section an individual shall enter into
an agreement to accept and continue employment in the Department for
the period of obligated service determined under paragraph (2).
``(2) For the purposes of this subsection, the period of obligated
service for a recipient of financial assistance under this section
shall be the period determined by the Secretary as being appropriate to
obtain adequate service in exchange for the financial assistance and
otherwise to achieve the goals set forth in section 7901(a) of this
title. In no event may the period of service required of a recipient be
less than the period equal to two times the total period of pursuit of
a degree for which the Secretary agrees to provide the recipient with
financial assistance under this section. The period of obligated
service is in addition to any other period for which the recipient is
obligated to serve on active duty or in the civil service, as the case
may be.
``(3) An agreement entered into under this section by a person
pursuing an doctoral degree shall include terms that provide the
following:
``(A) That the period of obligated service begins on a date
after the award of the degree that is determined under the
regulations prescribed under section 7906 of this title.
``(B) That the individual will maintain satisfactory academic
progress, as determined in accordance with those regulations,
and that failure to maintain such progress constitutes grounds
for termination of the financial assistance for the individual
under this section.
``(C) Any other terms and conditions that the Secretary
determines appropriate for carrying out this section.
``(c) Amount of Assistance.--(1) The amount of the financial
assistance provided for an individual under this section shall be the
amount determined by the Secretary as being necessary to pay--
``(A) the tuition and fees of the individual; and
``(B) $1500 to the individual each month (including a month
between academic semesters or terms leading to the degree for
which such assistance is provided or during which the
individual is not enrolled in a course of education but is
pursuing independent research leading to such degree) for
books, laboratory expenses, and expenses of room and board.
``(2) In no case may the amount of assistance provided for an
individual under this section for an academic year exceed $50,000.
``(3) In no case may the total amount of assistance provided for an
individual under this section exceed $200,000.
``(4) Notwithstanding any other provision of law, financial
assistance paid an individual under this section shall not be
considered as income or resources in determining eligibility for, or
the amount of benefits under, any Federal or federally assisted
program.
``(d) Repayment for Period of Unserved Obligated Service.--(1) An
individual who receives financial assistance under this section shall
repay to the Secretary an amount equal to the unearned portion of the
financial assistance if the individual fails to satisfy the
requirements of the service agreement entered into under subsection
(b), except in certain circumstances authorized by the Secretary.
``(2) The Secretary may establish, by regulations, procedures for
determining the amount of the repayment required under this subsection
and the circumstances under which an exception to the required
repayment may be granted.
``(3) An obligation to repay the Secretary under this subsection is,
for all purposes, a debt owed the United States. A discharge in
bankruptcy under title 11 does not discharge a person from such debt if
the discharge order is entered less than five years after the date of
the termination of the agreement or contract on which the debt is
based.
``(e) Waiver or Suspension of Compliance.--The Secretary shall
prescribe regulations providing for the waiver or suspension of any
obligation of a individual for service or payment under this section
(or an agreement under this section) whenever noncompliance by the
individual is due to circumstances beyond the control of the individual
or whenever the Secretary determines that the waiver or suspension of
compliance is in the best interest of the United States.
``(f) Internships.--(1) The Secretary may offer a compensated
internship to an individual for whom financial assistance is provided
under this section during a period between academic semesters or terms
leading to the degree for which such assistance is provided.
Compensation provided for such an internship shall be in addition to
the financial assistance provided under this section.
``(2) An internship under this subsection shall not be counted toward
satisfying a period of obligated service under this section.
``(g) Ineligibility of Individuals Receiving Certain Education
Assistance Payments.--An individual who receives a payment of
educational assistance under chapter 30, 31, 32, 34, or 35 of this
title or chapter 1606 or 1607 of title 10 for a month in which the
individual is enrolled in a course of education leading to a doctoral
degree in information security is not eligible to receive financial
assistance under this section for that month.

``Sec. 7903. Education debt reduction program

``(a) Authority.--(1) Subject to the availability of appropriations,
the Secretary shall establish an education debt reduction program under
which the Secretary shall make education debt reduction payments under
this section to qualified individuals eligible under subsection (b) for
the purpose of reimbursing such individuals for payments by such
individuals of principal and interest on loans described in paragraph
(2) of that subsection.
``(2)(A) For each fiscal year, the Secretary may accept up to five
individuals into the program established under paragraph (1) who did
not receive such a payment during the preceding fiscal year.
``(B) Not more than one individual accepted into the program for a
fiscal year under subsection (A) shall be a Department employee as of
the date on which the individual is accepted into the program.
``(b) Eligibility.--An individual is eligible to participate in the
program under this section if the individual--
``(1) has completed a doctoral degree in computer science or
electrical or computer engineering at an accredited institution
of higher education during the five-year period preceding the
date on which the individual is hired;
``(2) is an employee of the Department who serves in a
position related to information security (as determined by the
Secretary); and
``(3) owes any amount of principal or interest under a loan,
the proceeds of which were used by or on behalf of that
individual to pay costs relating to a doctoral degree in
computer science or electrical or computer engineering at an
accredited institution of higher education.
``(c) Amount of Assistance.--(1) Subject to paragraph (2), the amount
of education debt reduction payments made to an individual under this
section may not exceed $82,500 over a total of five years, of which not
more than $16,500 of such payments may be made in each year.
``(2) The total amount payable to an individual under this section
for any year may not exceed the amount of the principal and interest on
loans referred to in subsection (b)(3) that is paid by the individual
during such year.
``(d) Payments.--(1) The Secretary shall make education debt
reduction payments under this section on an annual basis.
``(2) The Secretary shall make such a payment--
``(A) on the last day of the one-year period beginning on the
date on which the individual is accepted into the program
established under subsection (a); or
``(B) in the case of an individual who received a payment
under this section for the preceding fiscal year, on the last
day of the one-year period beginning on the date on which the
individual last received such a payment.
``(3) Notwithstanding any other provision of law, education debt
reduction payments under this section shall not be considered as income
or resources in determining eligibility for, or the amount of benefits
under, any Federal or federally assisted program.
``(e) Performance Requirement.--The Secretary may make education debt
reduction payments to an individual under this section for a year only
if the Secretary determines that the individual maintained an
acceptable level of performance in the position or positions served by
the individual during the year.
``(f) Notification of Terms of Provision of Payments.--The Secretary
shall provide to an individual who receives a payment under this
section notice in writing of the terms and conditions that apply to
such a payment.
``(g) Covered Costs.--For purposes of subsection (b)(3), costs
relating to a course of education or training include--
``(1) ) tuition expenses; and
``(2) all other reasonable educational expenses, including
fees, books, and laboratory expenses;

``Sec. 7904. Preferences in awarding financial assistance

``In awarding financial assistance under this chapter, the Secretary
shall give a preference to qualified individuals who are otherwise
eligible to receive the financial assistance in the following order of
priority:
``(1) Veterans with service-connected disabilities.
``(2) Veterans.
``(3) Persons described in section 4215(a)(1)(B) of this
title.
``(4) Individuals who received or are pursuing degrees at
institutions designated by the National Security Agency as
Centers of Academic Excellence in Information Assurance
Education.
``(5) Citizens of the United States.

``Sec. 7905. Requirement of honorable discharge for veterans receiving
assistance

``No veteran shall receive financial assistance under this chapter
unless the veteran was discharged from the Armed Forces under honorable
conditions.

``Sec. 7906. Regulations

``The Secretary shall prescribe regulations for the administration of
this chapter.

``Sec. 7907. Termination

``The authority of the Secretary to make a payment under this chapter
shall terminate on July 31, 2017.''.
(b) GAO Report.--Not later than three years after the date of the
enactment of this Act, the Comptroller General shall submit to Congress
a report on the scholarship and education debt reduction programs under
chapter 79 of title 38, United States Code, as added by subsection (a).
(c) Applicability of Scholarships.--Section 7902 of title 38, United
States Code, as added by subsection (a), shall apply with respect to
financial assistance provided for an academic semester or term that
begins on or after August 1, 2007.
(d) Clerical Amendment.--The tables of chapters at the beginning of
such title, and at the beginning of part V of such title, are amended
by inserting after the item relating to chapter 78 the following new
item:

``79. Information Security Education Assistance Program..... 7901''.

Introduction

The reported bill reflects the Committee's consideration of
H.R. 5455, H.R. 5464, H.R. 5467, H.R. 5490, H.R. 5577, H.R.
5588, H.R. 5636, H.R. 5783, and H.R. 5835, as amended.
On May 23, 2006, the Honorable John T. Salazar introduced
H.R. 5455, the Veterans' Identity Protection Act, which would
require the Secretary of Veterans Affairs to provide free
credit monitoring and credit reports for veterans and others
affected by the theft of veterans' personal data, and to ensure
that such persons are appropriately notified of such thefts.
On May 24, 2006, the Honorable Marsha Blackburn introduced
H.R. 5464, which would require that veterans be notified that
their data was stolen, and that the veteran could request a
free credit report every three months for the next year, and
have a year of credit monitoring.
On May 24, 2006, the Honorable Thelma D. Drake introduced
H.R. 5467, which would amend title 38, United States Code, to
establish criminal penalties for the unauthorized disclosure of
records containing personal information about veterans.
On May 25, 2006, the Honorable Darlene Hooley introduced
H.R. 5487, which would require the Secretary of Veterans
Affairs to take certain actions to mitigate the effects of the
breach of data that occurred in May 2006.
On May 25, 2006, the Honorable Robert E. Andrews introduced
H.R. 5490, which would require the Secretary of Veterans
Affairs to establish a personal identification number for each
veteran in order to help preserve the confidentiality of the
Department of Veterans Affairs' information on veterans.
On May 25, 2006, the full Committee held a hearing with the
Secretary of Veterans Affairs and the Inspector General of the
Department of Veterans Affairs to review the loss of sensitive
information of veterans.
On June 8, 2006, full Committee Chairman Steve Buyer and
Committee on Appropriations' Subcommittee on Military Quality
of Life and Veterans Affairs Chairman James T. Walsh held a
business roundtable with information technology experts from
private sector companies, including the Goldman Sachs Group;
EMC Corporation; VISA; Citigroup Inc.; TriWest Healthcare
Alliance; and the American Bankers Association.
On June 9, 2006, the Honorable Shelley Moore Capito
introduced H.R. 5577, which would enhance protection of records
of the Department of Veterans Affairs containing personal
identifying information that is required by law to be
confidential and privileged from disclosure except as
authorized by law.
On June 12, 2006, the Honorable John T. Salazar and the
Honorable Lane Evans introduced H.R. 5588, the Comprehensive
Veterans' Data Protection and Identity Theft Prevention Act of
2006, which would require the Secretary of Veterans Affairs to
protect sensitive personal information of veterans, to ensure
that veterans are appropriately notified of any breach of data
security with respect to such information, and to provide free
credit monitoring and credit reports for veterans and others
affected by any such breach of data security.
On June 14, 2006, the full Committee held an oversight
hearing on information security at the Department of Veterans
Affairs.
On June 16, 2006, the Honorable Kay Granger introduced
H.R. 5636, the Social Security Number Privacy and Protection
Act, to reduce the risk of identity theft by limiting the use
of social security account numbers on certain Government-issued
identification cards and Government documents.
On June 20, 2006, the Subcommittees on Disability
Assistance and Memorial Affairs and Economic Opportunity held a
joint hearing on data security at the Veterans Benefits
Administration.
On June 21, 2006, the Subcommittee on Health held an
oversight hearing on safeguarding veterans' medical information
within the Veterans Health Administration.
On June 22, 2006, the full Committee held an oversight
hearing on the academic and legal implications of VA's data
loss.
On June 28, 2006, the full Committee held a hearing on what
VA IT organizational structures would have best prevented VA's
failures in information management.
On June 29, 2006, the full Committee held a hearing with
the Secretary of Veterans Affairs on the progress of the
Department of Veterans Affairs in mitigating the nation's
second largest data breach.
On July 13, 2006, the Honorable Brian P. Bilbray introduced
H.R. 5783, the Comprehensive Credit Services for Veterans Act
of 2006, which would amend title 38, United States Code, to
improve the security of sensitive personal data processed or
maintained by the Secretary of Veterans Affairs.
On July 18, 2006, the full Committee held a legislative
hearing on draft legislation to review proposals and draft
legislation the Committee was preparing as a response to the
recent theft of the personal information of 26.5 million
veterans and 2.2 million active duty and reserve component
service members and their spouses, which included provisions
and concepts from H.R. 5464, H.R. 5467, H.R. 5487, H.R. 5577,
H.R. 5588, and H.R. 5783.
On July 19, 2006, the Chairman and Acting Ranking Member,
the Honorable Steve Buyer and the Honorable Bob Filner,
respectively, along with Mr. Michael Bilirakis, Mr. Lane Evans,
Mr. Cliff Stearns, Mr. Luis V. Gutierrez, Mr. Dan Burton, Ms.
Corrine Brown of Florida, Mr. Henry E. Brown, Jr., of South
Carolina, Mr. Michael H. Michaud, Mr. Jeff Miller of Florida,
Ms. Stephanie Herseth, Mr. John Boozman, Mr. Ted Strickland,
Mr. Jeb Bradley, Mr. Silvestre Reyes, Mrs. Ginny Brown-Waite,
Ms. Shelley Berkley, Mr. Brian P. Bilbray, Mr. John T. Salazar,
Mr. Tom Davis of Virginia, Mr. Henry A. Waxman, Mr. James T.
Walsh, Mr. Chet Edwards, Mr. John D. Dingell, and Ms. Janice D.
Schakowsky introduced H.R. 5835, the Veterans Information and
Credit Security Act of 2006.
On July 20, 2006, the full Committee met to markup H.R.
5835, and ordered it reported favorably with an amendment in
the nature of a substitute to the House by unanimous voice
vote.

Summary of the Reported Bill

H.R. 5835, as amended, would:
1. Establish federal agency data breach notification
requirements including the provision of enforcement authority
to the Chief Information Officer of the Department of Veterans
Affairs.
2. Create a new Under Secretary of Information Services at
the Department of Veterans Affairs, who would also serve as the
Chief Information Officer.
3. Create the Office of the Under Secretary for Information
Security, which would contain three Deputy Under Secretaries
appointed by the Secretary:
a. Deputy Under Secretary for Security, who would
also serve as the Senior Information Security Officer
of the Department,
b. Deputy Under Secretary for Operations and
Management, and
c. Deputy Under Secretary for Policy and Planning.
4. Define the responsibilities of the Under Secretary for
Information Services under the Federal Information Security
Management Act of 2002 (FISMA), which would include regular
reporting of compliance or noncompliance with FISMA to the
Secretary and Congress.
5. Provide reporting and notification guidelines by the
Secretary of Veterans Affairs to Congress in the event of a
data security breach.
6. Require an independent analysis of any data breaches to
determine the level of risk associated for the potential misuse
of any sensitive personal information involved in the data
breach, and provide notification to affected individuals which
would include:
a. the availability of fraud alerts at the request of
the individual, and
b. the availability of a credit security freeze at
the request of the individual.
7. Permit the Secretary of Veterans Affairs to have final
determination with respect to the reasonable risk for the
potential misuse of sensitive information involved in a data
breach based on the risk analysis performed.
8. Allow remediation of identity theft, in the event the
Secretary determines a reasonable risk exists for the potential
misuse of the breached data, for a veteran or other individual
whose sensitive personal information was compromised due to a
data security breach at the Department, through the
availability of credit protection services and, upon the
request of that individual, fraud resolution services
including;
a. a definition of the covered individual,
b. notification in writing or by email that the
individual's sensitive personal information was part of
a security breach,
c. the availability of services through other
government entities,
d. contracting with credit reporting agencies,
e. the availability of a data breach analysis, and
f. credit monitoring services and identity theft
insurance.
9. Require, as a condition of contracting with the
Department of Veterans Affairs for the processing or
maintenance of sensitive personal information, that a
contractor not disclose such information to any other person,
unless the disclosure is lawful and is expressly permitted
under the contract. Should a breach occur by either the
contractor or the subcontractor, liquidated damages would be
incurred by the contractor. Monies collected from contractors
as liquidated damages would be used to provide credit
protection services to covered individuals affected by the data
breach for which the penalty is paid.
10. Provide for an appropriation of such funds as may be
necessary for each fiscal year for credit protection services.
11. Require a report by the Department of Veterans Affairs
on the feasibility of using personal identification numbers
instead of social security numbers for the purpose of
identifying individuals whose sensitive personal information is
processed or maintained by the Secretary. The report is to be
submitted to Congress no later than 180 days after the date of
enactment.
12. Set a deadline for appointments under this Act of not
later than 180 days after enactment, with a report of not later
than 30 days after the date of the enactment, and every 30 days
thereafter until the appointments are made, from the Secretary
describing the progress of the appointments.
13. Create a scholarship program for up to five new
scholarships each year at VA for recruitment of personnel who
are in pursuit of a doctoral degree in information security,
computer engineering, or electrical engineering at an
accredited institution of higher learning. The recipients would
be required to agree to a period of obligated service at the
Department as determined by the Secretary, not less than two
years for every one year of school tuition paid, and repayment
would be required in the event an individual voluntarily
terminates service prior to the end of the period of obligated
service.
14. Provide for repayment of education debts for five
individuals each year who hold doctoral degrees in information
security, computer engineering, or electrical engineering from
an accredited institution of higher learning (only one may be a
current employee of the Department). Debt reduction payments
made to individuals under this section would not exceed $82,500
over a total of 5 years of participation, or $16,500 per year
in the program.
15. Authorize the Secretary of Veterans Affairs to give
preference in the award of either the scholarships or the
repayment program to individuals who are: service-disabled
veterans, veterans, surviving spouses of veterans who have died
of a service-connected disability, or spouses of veterans who
are 100-percent permanently and totally disabled; or
individuals who have received or are pursuing a degree at a
Center of Academic Excellence in Information Assurance
Education.
16. Require the Government Accountability Office (GAO) to
report on the education programs 3 years after date of
enactment.

Background and Discussion

Federal Agency Data Breach Notification.--Section 2 of the
bill would provide enforcement authority under the Federal
Information Security Management Act of 2002 (FISMA). The
Committee found in its investigation of the data breach of May
3, 2006, the intent of Congress should be clarified with regard
to the extent to which FISMA would authorize the Department
Secretary or the Chief Information Officer to enforce
compliance with FISMA at the Department. This language was
written in cooperation with the Committee on Government Reform
and would strengthen the Secretary and the CIO's authority and
enforcement under FISMA for all government agencies. This
section also would require timely notification to individuals
whose sensitive personal information was included in a breach
of data at the agency. The Committee strongly urges the
Department of Veterans Affairs to follow the guidelines set
forth in the Federal Information Security Management Act of
2002 (FISMA) to ensure the protection of veterans' personal
information. The Committee also expects that the Secretary
would consider compliance with FISMA when evaluating an
employee's performance for providing merit bonuses, consistent
with the Secretary's goal of working to make VA the ``gold
standard'' in information security.
Under Secretary for Information Services.--Section 3 of the
bill would create a new appointment-level Under Secretary for
Information Services at the Department of Veterans Affairs.
This Under Secretary would direct the Office of Information
Services, and also serve as the Chief Information Officer of
the Department of Veterans Affairs. The Committee intends that
the Under Secretary for Information Services and Chief
Information Officer would serve on the VA/DoD Joint Executive
Council, just as the current Assistant Secretary for
Information and Technology and Chief Information Officer does.
The Committee also determined that, consistent with private
sector practices, the Department would be better served by an
Under Secretary appointee who would be in charge of all IT
related services for the Department. In the private sector the
CIO is often a corporate vice president.
Department of Veterans Affairs Information Security.--
Section 4 of the bill would create the Office of the Under
Secretary for Information Services. In the Office of
Information Services, there would be three Deputy Under
Secretaries: (1) Deputy Under Secretary for Security, who would
also serve as the Chief Information Security Officer of the
Department; (2) Deputy Under Secretary for Operations and
Management; who would oversee day to day information technology
operations within the Department of Veterans Affairs, and (3)
Deputy Under Secretary for Policy and Planning who would
provide policy guidelines and development planning for IT
related issues at the Department.
The section would also identify the responsibilities of the
Chief Information Officer, and would require an annual report
to be submitted to the House and Senate Committees on Veterans'
Affairs, the House Committee on Government Reform and the
Senate Committee on Homeland Security and Governmental Affairs
on the Department's compliance under FISMA. The information
would be for each Administration, office or facility of the
Department.
The Chief Information Officer would be required to report
at least monthly to the Secretary any deficiency in the
compliance of FISMA of the Department or any Administration,
office, or facility of the Department. Should a significant
deficiency in compliance be found at the Department or in any
Administration, office or facility of the Department, the Chief
Information Officer would be required to immediately report
this to the Secretary.
With respect to data breaches that may occur at the
Department or at any Administration, office or facility of the
Department, the Chief Information Officer would immediately
provide notice of said breach to the Secretary. The Secretary
would then provide notice of the breach to the Director of the
Office of Management and Budget, the Inspector General of the
Department, and if appropriate, the Federal Trade Commission
and the United States Secret Service.
Under section 5725(b)(1) the Department would be required
to notify the individual whose sensitive personal information
was part of the data breach. The Committee suggests that under
this section the Department develop a mechanism through the
Veterans Integrated Service Networks to notify the veterans of
the data breach and provide an explanation of the services
provided under this legislation.
Report on Feasibility of Using Personal Identification
Numbers for Identification.--Section 5 of the bill would
require a report from the Secretary of Veterans Affairs to
Congress, containing the assessment of the Secretary with
respect to the feasibility of using personal identification
numbers instead of Social Security numbers for the purpose of
identifying individuals whose sensitive personal information is
processed or maintained by the Secretary. Currently, social
security numbers are maintained in the same database as all
other veteran information, and used by claims processors to
access files at the Department. Prior to 1973, a special C-file
number was assigned to veterans claims and cases, and was used
as the primary identifier for veterans information at the
Department. The Committee seeks to determine the feasibility of
changing to a system of identifiers which would not require the
use of a Social Security Number stored within the veterans'
primary record in order to protect the veterans personal
identifying information.
Deadline for Appointments.--Section 6 of the bill would
require the Under Secretary for Information Services, and the
Deputy Under Secretaries under the Office of Information
Services to be appointed not later than 180 days after the
enactment of the Act. Thirty days after enactment of this act,
the Secretary would be required to report to Congress on the
progress of the appointments, and then every 30 days until all
appointments are made.
Information Security Education Assistance Program.--Section
7 of the bill would require VA to establish a financial
assistance program that would include no more than five
scholarships and five debt reduction payment programs per year
through July 31, 2017 for individuals in pursuit of, or having
received, a doctoral degree in computer science, electrical
engineering, or computer engineering, in an effort to assist VA
with recruiting new personnel with expertise in cyber security.
The Committee intends for VA to broadly interpret the areas of
doctoral degrees to include any disciplines in the information
security systems arena. Finally, the Committee expects VA to
give preference to service-disabled veterans, veterans,
surviving spouses of veterans who have died of a service-
connected disability or spouses of veterans who are 100 percent
permanently and totally disabled, and individuals who have
received or are pursuing a degree at a Center of Academic
Excellence in Information Assurance Education. The education
assistance program was specifically drafted into the
legislation in order to provide the Secretary with a recruiting
and retention tool to obtain the most qualified individuals in
the area of information technology and information security to
work at the Department.

Section-by-Section Analysis

Section 1 of the bill would provide that this Act may be
cited as the ``Veterans Identity and Credit Security Act of
2006.''
Section 2(a) of the bill would amend section 3543(a) of
title 44, United States Code, by (1) striking ``and'' at the
end of paragraph (7); (2) striking the period and inserting ``;
and'' at the end of paragraph (8); and (3) adding at the end
the following new paragraph: ``(9) establishing policies,
procedures, and standards for agencies to follow in the event
of a breach of data security involving the disclosure of
sensitive personal information in violation of section 552a of
title 5, United States Code, including a requirement for timely
notice to be given to those individuals whose sensitive
personal information could be compromised as a result of such
breach, except no notice shall be required if the breach does
not create a reasonable risk of identity theft, fraud, or other
unlawful conduct regarding such individual.
Section 2(b) of the bill would amend section 3544(a)(3) of
title 44, United States Code, by inserting after ``authority to
ensure compliance with'' the following: ``and, to the extent
determined necessary and explicitly authorized by the head of
the agency, to enforce''.
Section 2(c) of the bill would amend section 3544(b) of
title 44, United States Code, (1) by striking ``and'' at the
end of paragraph (7); (2) by striking the period and inserting
``; and'' at the end of paragraph (8); and by adding at the end
the following new paragraph: (9) procedures for notifying
individuals whose sensitive personal information is compromised
consistent with policies, procedures, and standards established
under section 3543(a)(9) of this title.''
Section 2(d) of the bill would amend section 3542(b) of
title 44, United States Code, by defining the term `sensitive
personal information' as any information contained in a record,
as defined in section 552a(4) of title 5, United States Code.
Section 3 of the bill would amend Chapter 3 of title 38,
United States Code, by inserting after section 307 the
following new section: ``Sec. 307A. Under Secretary for
Information Services''.
New section 307A(a) of the bill would create the Under
Secretary for Information Services, who is appointed by the
President by and with the advice and consent of the Senate. The
Under Secretary would be the head of the Office of Information
Services and will perform such functions as the Secretary
prescribes.
New section 307A(b) of the bill would specify that the
Under Secretary for Information Services serve as the Chief
Information Officer of the Department under section 310 of
title 38, United States Code, notwithstanding any other
provision of law.
Section 3(b) of the bill would make clerical amendments.
Section 3( c) of the bill would make conforming amendments.
Section 4(a) of the bill would amend Chapter 57 of title
38, United States Code, by adding a new Subchapter III--
Information Security:
New section 5721(1) of the bill would define the term
`sensitive personal information' as the name, address, or
telephone number of an individual, in combination with any of
the following: (A) the Social Security number of the
individual, (B) the date of the birth of the individual, (C)
any information not available as part of the public record
regarding the individual's military service or health, (D) any
financial account or other financial information relating to
the individual, (E) the driver's license number or equivalent
State identification number of the individual, (F) the
deoxyribonucleic acid profile or other unique biometric data of
the individual, including the fingerprint, voice print, retina
or iris image, or other unique physical representation of the
individual.
New section 5721(2) of the bill would define the term `data
breach' to mean the loss, theft, or other unauthorized access
to data containing sensitive personal information, in
electronic or printed form, that results in the potential
compromise of the confidentiality or integrity of the data.
New section 5721(3) of the bill would define the term `data
breach analysis' to mean the identification of any misuse of
sensitive personal information involved in a data breach.
New section 5721(4) of the bill would define the term
`fraud resolution services' to mean services to assist an
individual in the process of recovering and rehabilitating the
credit of the individual after the individual experiences
identity theft.
New section 5721(5) of the bill would define the term
`identity theft' as the meaning given under section 603 of the
Fair Credit Reporting Act (15 U.S.C. 168Ia).
New section 5721(6) of the bill would define the term
`identity theft insurance' as any insurance policy that pays
benefits for costs, including travel costs, notary fees,
postage costs, lost wages, and legal fees and expenses
associated with the identity of the insured individual.
New section 5721(7) of the bill would define the term
`principal credit reporting agency' as a consumer reporting
agency as described in section 603(p) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(p)).
New section 5722(a) of the bill would provide that the
Office of the Under Secretary for Information Services consist
of the following: (I) the Deputy Under Secretary for
Information Services for Security, who shall serve as the
Senior Information Security Officer of the Department, (2) the
Deputy Under Secretary forInformation Services for Operations
and Management, (3) the Deputy Under Secretary for Information Services
for Policy and Planning.
New section 5722(b) of the bill would provide that
appointments under new section 5722(a) be made by the
Secretary, notwithstanding the limitations of section 709 of
title 38, United States Code.
New section 5722(c) of the bill would provide that at least
one of the positions established and filled under new section
5722(a) be filled by an individual who has at least five years
of continuous service in the Federal civil service in the
executive branch immediately preceding the appointment of the
individual as a Deputy Under Secretary. For purposes of
determining such continuous service of an individual, there
shall be excluded any service by such individual in a position
(1) of a confidential, policy-determining, policy-making, or
policy-advocating character; (2) in which such individual
served as a non-career appointee in the Senior Executive
Service, as defined in section 3132(a)(7) of title 5, United
States Code; or (3) to which such individual was appointed by
the President.
New section 5723(a) would provide for the responsibilities
of the Chief Information Officer. The Secretary shall ensure
that the Chief Information Officer, in order to support the
economical, efficient, and effective execution of subtitle III
of chapter 35 of title 44, United States Code, have the
authority and control necessary to develop, approve, implement,
integrate, and oversee the policies, procedures, processes,
activities, and systems of the Department relating to that
subtitle, including the management of all related mission
applications, information resources, personnel, and
infrastructure.
New section 5723(b) of the bill would require the Secretary
to submit a report, not later than March 1 of each year, to the
Committees on Veterans' Affairs of the Senate and House of
Representatives, the Committee on Government Reform of the
House of Representatives, and the Committee on Homeland
Security and Governmental Affairs of the Senate, on the
Department's compliance with subtitle III of chapter 35 of
title 44, United States Code. The information in such report
shall be displayed in the aggregate and separately for each
Administration, office, and facility of the Department.
New section 5723(c)(1) of the bill would require the Chief
Information Officer to submit a report, at least once every
month, to the Secretary noting any deficiency in the compliance
with subtitle III of chapter 35 of title 44, United States
Code, of the Department or any Administration, office, or
facility of the Department.
New section 5723(c)(2) of the bill would require the Chief
Information Officer to immediately report to the Secretary any
significant deficiency in such compliance.
New section 5723(d)(1) of the bill would require the Chief
Information Officer to immediately provide notice to the
Secretary any data breach.
New section 5723(d)(2) of the bill would require the
Secretary, after receiving notice of a date breach under
paragraph (1), to provide notice of such breach to the Director
of the Office of Management and Budget, the Inspector General
of the Department, and, if appropriate, the Federal Trade
Commission and the United States Secret Service.
New section 5723(e) of the bill would require the
Secretary, when the budget for any fiscal year is submitted by
the President to Congress under section 1105 of title 31,
United States Code, to submit to Congress a report that
identifies amounts requested for Department implementation and
remediation of, and compliance with, this subchapter and
subtitle III of chapter 35 of title 44, United States Code. The
report shall set forth those amounts both for each
Administration within the Department and for the Department in
the aggregate and shall identify, for each such amount, how
that amount is aligned with and supports such implementation
and compliance.
New section 5724(a)(I) of the bill would require the
Secretary to submit a report, not later than 30 days after the
last day of a fiscal quarter, to the Committees on Veterans'
Affairs of the Senate and the House of Representatives, on any
data breach with respect to sensitive personal information
processed or maintained by the Department that occurred during
that quarter.
New section 5724(2) of the bill would require that each
report submitted under paragraph (1) identify, for each data
breach covered by the report, the Administration and facility
of the Department responsible for processing or maintaining the
sensitive personal information involved in the data breach.
New section 5724(b)(1) of the bill would require the
Secretary, in the event of a data breach with respect to
sensitive personal information and which the Secretary
determines is significant, to provide notice to the Committees'
on Veterans' Affairs of the Senate and House of
Representatives.
New section 5724(b)(2) of the bill would require the
Secretary, pursuant to paragraph (1), to provide prompt notice
following the discovery of such a data breach and the
implementation of any measures necessary to determine the scope
of the breach, prevent any further breach or unauthorized
disclosures, and reasonably restore the integrity of the data
system.
New section 5725(a)(1) of the bill would require that, in
the event of a data breach with respect to sensitive personal
information that is processed or maintained by the Secretary,
the Secretary shall ensure that, as soon as possible after the
data breach, a non Department entity conducts an independent
risk analysis of the data breach to determine the level of risk
associated with the data breach for the potential misuse of any
sensitive personal information involved in the data breach.
New section 5725(a)(2) of the bill would require the
Secretary to provide credit protection services in accordance
with section 5726 of title 38, United States Code, in the event
of a data breach with respect to sensitive personal information
that is processed or maintained by the Secretary.
New section 5725(b)(1) of the bill would require the
Secretary to provide to an individual whose sensitive personal
information is involved in a data breach, notice (A) in
writing; or (B) by e-mail, if (i) the Department's primary
method of communication with the individual is by email; and
(ii) if the individual has consented to receive such
notification.
New section 5725(b)(2) of the bill would provide that
notice under paragraph (1) shall describe the circumstances of
the data breach and the risk that the breach could lead to
misuse, including identity theft, involving the sensitive
personal information of the individual; describe the specific
types of sensitive personal information that was compromised as
a part of the data breach; describe the actions the Department
is taking to remedy the data breach; inform the individual that
the individual may require a fraud alert and credit security
freeze under this section; clearly explain the advantages and
disadvantages to the individual of receiving fraud alerts and
credit security freezes underthis section; and include other
such information as the Secretary determines is appropriate.
New section 5725(b)(3) of the bill would require the notice
under paragraph (1) to be provided promptly following the
discovery of a data breach and the implementation of any
measures necessary to determine the scope of the breach,
prevent any further breach or unauthorized disclosures, and
reasonably restore the integrity of the data system.
New section 5725(c) of the bill would require the Secretary
to promptly report, with respect to sensitive personal
information processed or maintained by the Secretary, to the
Committees on Veterans' Affairs of the Senate and House of
Representatives, findings of any independent risk analysis
conducted under subsection (a)(1), any determination of the
Secretary under subsection (a)(2), and a description of any
credit protection services provided under section 5726 of title
38, United States Code.
New section 5725(d) of the bill would provide that,
notwithstanding sections 511 and 7104(a) of title 38, United
States Code, any determination of the Secretary under
subsection (a)(2) with respect to the reasonable risk for the
potential misuse of sensitive information involved in a data
breach is final and conclusive and may not be reviewed by any
other official, administrative body, or court, whether by an
action in the nature of mandamus or otherwise.
New section 5725(e)(1) of the bill would require the
Secretary, in the event of a data breach with respect to
sensitive personal information that is processed or maintained
by the Secretary, to arrange, upon the request of an individual
whose sensitive personal information is involved in the breach
to a principal credit reporting agency with which the Secretary
has entered into a contract under section 5726( d) and at no
cost to the individual, for the principal credit reporting
agency to provide fraud alert services for that individual for
a period of not less than one year, beginning on the date of
such request, unless the individual requests that such fraud
alert be removed before the end of such period, and the agency
receives appropriate proof of the identity of the individual
for such purpose.
New section 5725(e)(2) of the bill would require the
Secretary to arrange for each principal credit reporting agency
referred to in paragraph (2) to provide any alert requested
under such subsection in the file of the individual along with
any credit score generated in using that file, for a period of
not less than one year, beginning on the date of such request,
unless the individual requests that such fraud alert be removed
before the end of such period, and the agency receives
appropriate proof of the identity of the individual for such
purpose.
New section 5725(f)(1) of the bill would require the
Secretary to arrange, in the event of a data breach with
respect to sensitive personal information that is processed or
maintained by the Secretary, upon request of an individual
whose sensitive personal information is involved in the breach
and at no cost to the individual, for each principal credit
reporting agency to apply a security freeze to the file of that
individual for a period not less than one year, beginning on
the date of such request, unless the individual requests that
such security freeze be removed before the end of such period,
and the agency receives appropriate proof of the identity of
the individual for such purpose.
New section 5725(f)(2) of the bill would require the
Secretary to arrange for a principal credit reporting agency
applying a security freeze under paragraph (1) to (A) send
written confirmation of the security freeze to the individual
within five business days of applying the freeze; (B) refer the
information regarding the security freeze to other consumer
reporting agencies; (C) provide the individual with a unique
personal identification number or password to be used by the
individual when providing authorization for the release of the
individual's credit for a specific party or period of time; and
(D) upon request of the individual, to temporarily lift the
freeze for a period of time specified by the individual,
beginning not later than three business days after the date on
which the agency receives the request.
New section 5726(a) of the bill would provide credit
protection services to a covered individual, who, for the
purposes of this section, is an individual whose sensitive
personal information is processed or maintained by the
Department (or any third-party entity acting on behalf of the
Department) whose sensitive personal information is involved,
on or after August 1,2005, in a data breach for which the
Secretary determines a reasonable risk exists for the potential
misuse of sensitive personal information under section
5725(a)(2) of title 38, United States Code.
New section 5726(b)(1) of the bill would require the
Secretary to provide, in writing, notification of credit
protection services, in addition to any notice required under
subsection 5725(b), to a covered individual that (A) the
individual may request credit protection services under this
section; (B) clearly explains the advantages and disadvantages
to the individual of receiving credit protection services under
this section; (C) includes a notice of which principal credit
reporting agency the Secretary has entered into a contract with
under subsection (d), and information about requesting services
through that agency; (D) describes actions the individual can
or should take to reduce the risk of identity theft; and (E)
includes such other information as the Secretary determines is
appropriate.
New section 5726(b)(2) of the bill would require that the
required notice under paragraph (1) be made as promptly as
possible and without reasonable delay following the discovery
of a data breach for which the Secretary determines a
reasonable risk exists for the potential misuse of sensitive
personal information under section 5725(a)(2) of this title and
the implementation of any measures necessary to determine the
scope of the breach, prevent any further breach or unauthorized
disclosures, and reasonably restore the integrity of the data
system.
New section 5726(b)(3) of the bill would require the
Secretary to ensure that each notification under paragraph (1)
includes a form or other means for readily requesting the
credit protection services under this section. Such form or
other means may include a telephone number, email address, or
Internet website address.
New section 5726(c) of the bill would provide for the
availability of services through other government agencies. If
a service required under this section is available to a covered
individual through another department or agency of the
Government, the Secretary and the head of that department or
agency may enter in to an agreement under which the head of
that department or agency agrees to provide that service to the
covered individual.
New section 5726(d) of the bill would require, subject to
the availability of appropriations and not withstanding any
other provision of law, that the Secretary shall enter into
contracts or other agreements as necessary with one or more
principal credit reporting agencies in order to ensure, in
advance, the provision of credit protection services under this
section and fraud alerts and security freezes under section
5725 of thistitle. Any such contract or agreement may include
provisions for the Secretary to pay the expenses of such a credit
reporting agency for the provision of such services.
New section 5726(e) of the bill would require the
Secretary, upon request of the individual and at no cost to the
individual, to provide data breach analysis for the individual
for a period of not less than one year, beginning on the date
of such request.
New section 5726(f) of the bill would require the Secretary
to arrange, during the one-year period beginning on the date on
which the Secretary notifies a covered individual that the
individual's sensitive personal information is involved in a
data breach, for the provision of credit monitoring services to
the individual upon the request of the individual and without
charge to the individual. Credit monitoring services under this
subsection shall include: (1) one copy of the credit report of
the individual every three months, (2) fraud resolution
services for the individual, and (3) identity theft insurance
in a coverage amount that does not exceed $30,000 in aggregate
liability for the insured.
New section 5727(a) of the bill would require that if the
Secretary enters into any contract for the performance of any
Department function that requires access to sensitive personal
information that (1) the contractor not, directly or through an
affiliate of the contractor, disclose such information to any
other person unless the disclosure is lawful and is expressly
permitted under contract, and (2) the contractor or any
subcontractor for a subcontract of the contract, promptly
notify the Secretary of any data breach that occurs with
respect to such information.
New section 5727(b) of the bill would require each contract
subject to the requirements of subsection (a) to provide
liquidated damages to be paid by the contractor to the
Secretary in the event of a data breach with respect to any
sensitive personal information processed or maintained by the
contractor or any subcontractor under that contract.
New section 5727(c) of the bill would require any amount
collected by the Secretary under subsection (b) be deposited in
or credited to the Department account from which the contractor
is paid and remain available for obligation without fiscal year
limitation exclusively for the purpose of providing credit
protection services in accordance with section 5726 of title
38, United States Code.
New section 5728 of the bill would authorize such sums as
may be necessary for each fiscal year to be appropriated to
carry out this subchapter.
Section 4(b) of the bill would make clerical amendments.
Section 4(c) of the bill would require the Secretary of
Veterans Affairs to publish regulations to carry out subchapter
III of chapter 57, title 38, United States Code, as added by
subsection (a), not later than 60 days after the enactment of
this Act.
Section 5 of the bill would require the Secretary to submit
to Congress a report containing the assessment of the Secretary
on the feasibility of using personal identification numbers
instead of Social Security numbers for the purpose of
identifying individuals whose sensitive personal information,
as defined in section 5721 of title 38, United States Code, is
processed or maintained by the Secretary, not later than 180
days after enactment of this Act.
Section 6(a)(1) of the bill would require the President to
nominate an individual to serve as Under Secretary for
Information Services under section 307A of title 38, United
States Code, not later than 180 days after enactment of this
Act.
New section 6(a)(2) of the bill would require the Secretary
of Veterans Affairs to appoint an individual to serve as each
of the Deputy Under Secretaries of Veterans Affairs for
Information Services under section 5722 of title 38, United
States Code, not later than 180 days after enactment of this
Act.
New section 6(b) of the bill would require the Secretary of
Veterans Affairs to submit to Congress a report describing the
progress of appointments described in subsection (a), not later
than 30 days after enactment of this Act, and every 30 days
after until the appointments are made.
Section 7(a) of the bill would add a new chapter 79,
``Information Security Education Assistance Program,'' to title
38, United States Code. The following sections would be added
to title 38, United States Code.
New section 7901(a) of the bill would require the Secretary
to provide financial support for education in computer science,
and electrical and computer engineering at accredited
institutions of higher education to encourage the recruitment
and retention of personnel who have information security skills
necessary to meet the Department's needs.
New section 7901(b) of the bill would authorize programs
for scholarships for the pursuit of doctoral degrees in
computer science, and electrical and computer engineering from
accredited institutions of higher education or education debt
reduction for Department personnel who hold doctoral degrees in
computer science, or electrical and computer engineering from
accredited institutions of higher education.
New section 7902(a)(1) of the bill would require the
Secretary to establish a scholarship program, subject to the
availability of appropriations, to provide financial assistance
to individuals who are pursuing a doctoral degree in computer
science, and electrical and computer engineering at accredited
institutions of higher education and enter into an agreement
with the Secretary as described in the new subsection 7902(b).
New section 7902(a)(2) of the bill would allow the
Secretary to provide the scholarship to an individual for up to
five years unless the Secretary determines that a waiver is
necessary.
New section 7902(a)(3) of the bill would allow the
Secretary to award up to five scholarships per academic year to
individuals who did not receive the scholarship the preceding
year. One of the five scholarships each year may be awarded to
a current VA employee.
New section 7902(b) of the bill would require any
individual who receives financial assistance from the
scholarship to enter into an agreement to accept and continue
employment with VA for a period of obligated service to be
determined by the Secretary that would not be less than 2 years
of service for every one year of financial assistance. The
period of obligated service would begin on a date after the
individual receives a degree. The individual would be required
to maintain a satisfactory academic progress, as determined by
the Secretary, or the assistance would be terminated. The
Secretary would have the authority to determine any other
appropriate terms and conditions for carrying out the
scholarship.
New section 7902(c) of the bill would allow the amount of
financial assistance under the scholarship program to not
exceed $50,000 per academic year or a total amount of
assistance of $200,000. The scholarship would be used for
tuition and fees of the individual and $1500 would be awarded
to the individual each month the individual is pursuing a
course of study, independent research and between semesters for
books, laboratory expenses, and room and board. The assistance
awarded under this new section would not be considered as
income or resources when determining eligibility for and
Federal or federally assisted programs.
New section 7902(d) of the bill would require any
individual who receives the scholarship to repay the Secretary
if the individual fails to satisfy the requirements of the
service agreement entered into with the Secretary according to
subsection 7902(b). The Secretary would be authorized to make
regulations with regard to the repayment policy of the
scholarship. The repayment obligation would be a debt owed to
the United States and a discharge in bankruptcy under title 11,
United States Code, would not discharge the individual's debt
if the debt is entered into in less than five years after the
termination of the agreement of contract.
New section 7902(e) of the bill would require the Secretary
to prescribe regulations for a waiver or suspension policy for
service or payment if the Secretary determines the individual
is noncompliant due to circumstances beyond their control.
New section 7902(f) of the bill would authorize the
Secretary to offer compensated internships to individuals
receiving the scholarship between semesters. Any internship
performed would not count towards obligated service.
New section 7902(g) of the bill would prohibit any
individual who receives education benefits under chapters 30,
31, 32, 34, or 35 of title 38, United States Code, or from 1606
or 1607 of title 10, United States Code, to receive the
scholarship.
New section 7903(a)(1) of the bill would require the
Secretary to establish a debt reduction program, subject to the
availability of appropriations, to provide financial assistance
to individuals who received a doctoral degree in computer
science, and electrical and computer engineering at accredited
institutions of higher education for the individuals to make
payments to the principal and interest on loans described in
7903(b).
New section 7903(a)(2) of the bill would allow the
Secretary to accept up to five individuals into the program per
year who did not receive a payment the preceding year. One of
the five scholarships each year may be awarded to a current VA
employee.
New section 7903(b) of the bill would require any
individual who participates in the program to have completed a
doctoral degree in computer science, and electrical and
computer engineering at accredited institutions of higher
education during the five years preceding the date the
individual is hired, be an employee in a position related to
information security, and owes principal or interest on a loan
which was used to pay the costs of achieving the doctoral
degree.
New section 7903(c) of the bill would limit the amount of
financial assistance under the scholarship program to $16,500
per year or a total amount of assistance of $82,500 over 5
years. The total amount paid to the individual would not exceed
the amount of principal and interest on the loans that the
individual pays during the year.
New section 7309(d) of the bill would require the Secretary
to make the debt reduction payments on an annual basis on the
last day of the one-year period beginning on the date the
individual was accepted into the program, or if the individual
received the payment the previous year, the individual would
receive the payment on the last day of the one-year period
beginning on the date of the last payment. The assistance
awarded under this new section would not be considered as
income or resources when determining eligibility for federal or
federally assisted programs.
New section 7309(e) of the bill would authorize the
Secretary to make payments under the debt reduction program to
an individual only if the individual maintains an acceptable
level of performance in the position or positions during the
year after acceptance in the program.
New section 7309(f) of the bill would require the Secretary
to notify any individual accepted into the debt reduction
program of the terms and conditions of the program in writing.
New section 7309(g) of the bill would authorize payment to
individuals accepted into the debt reduction program for loans
associated with tuition expenses and all other reasonable
educational expenses, including fees, books, and laboratory
expenses.
New section 7904 of the bill would require the Secretary to
give preference for the financial assistance programs to
qualified individuals who are: service-disabled veterans;
veterans; surviving spouses of veterans who have died of a
service-connected disability, or spouses of veterans who are
100 percent permanently and totally disabled; individuals who
have received or are pursuing a degree at a Center of Academic
Excellence in Information Assurance Education; or citizens of
the United States.
New section 7905 of the bill would require that any veteran
who receives financial assistance through this new chapter 79
of title 38, United States Code be discharged from the Armed
Forces under honorable conditions.
New section 7906 would require the Secretary to prescribe
regulations for the new chapter 79 of title 38, United States
Code.
New section 7907 of the bill would terminate the new
financial assistance programs on July 31, 2017.
New section 7(b) of the bill would require the Comptroller
General to submit a report to Congress on the scholarship and
debt reduction programs under the new chapter 79 of title 39,
United States Code no later than 3 years after date of
enactment.
New section 7(c) of the bill would require scholarship
payments under the new chapter 79 of title 38, United States
Code to apply to academic semesters or terms beginning on or
after August 31, 2007.
New section 7(d) of the bill would make clerical
amendments.

Performance Goals and Objectives

The reported bill would establish the position of Under
Secretary for Information Services, and would provide for an
Office of Information Services within the Department of
Veterans Affairs. It would strengthen the Federal Information
Security Management Act of 2002, to provide the Department's
Chief Information Officer improved enforcement authority over
information management, and require certain notification and
credit services for veterans affected by data breaches.
Performance goals and objectives are established in VA's annual
performance plans and are subject to the Committee's regular
oversight. In addition, the Committee on Government Reform
conducts regular oversight of the Department's conformance with
FISMA regulations.

Statements of the Views of the Administration

Statement of Hon. Gordon H. Mansfield, Deputy Secretary, Department of
Veterans Affairs

Mr. Chairman and Members of the Committee,
I am pleased to provide the Department's views on eight
bills, all intended to protect the personal privacy of veterans
and others affected by the May 3, 2006 theft of computer
equipment containing veterans' personal data. While you had
also invited our views on a draft bill your staff shared last
week, I regret that time has not permitted us have cleared
positions on its many provisions. We will supply those for the
record once the necessary executive-branch coordination is
completed.
Initially, I wish to point out that the eight bills covered
in my testimony were introduced before the stolen computer
hardware was recovered. As you know, the FBI has concluded with
a high degree of confidence that, based upon its forensic
examination and other evidence developed during its
investigation, the veterans data were not accessed or
compromised prior to their recovery. That development has
eliminated the need for much of what is proposed in the
legislation, and while we understand the concerns that
engendered these eight bills we do not support their enactment.

h.r. 5455

H.R. 5455, the ``Veterans Identity Protection Act of
2006,'' would require the Department of Veterans Affairs to:
(1) provide notification to each individual whose personal'
information was included in the recent data breach; (2) provide
to any of these individuals a free one-year credit monitoring
service; (3) provide a copy of that individual's credit report
once annually during the two year period following the
termination of the credit monitoring services; and (4) certify
in writing to Congress that any individual whose personal
information has been compromised due to data security lapses at
the Department has been appropriately notified in writing.
The Secretary has already taken proactive and aggressive
steps to notify all individuals whose personal information was
potentially at risk as a result of the May 3 data theft, Also,
the recovery of the data, apparently uncompromised, eliminates
the need to offer credit monitoring or additional free credit
reports at this time.
In addition, the Fair Credit Reporting Act (FCRA), 15
U.S.C. Sec. 1681 et seq., requires each of the three major
credit bureaus to provide, upon request, a free copy of an
individual's credit report once every twelve months and upon
the individual's placement of an initial fraud alert on his or
her credit file. Therefore, an individual who places an initial
fraud alert could make a request to each of the three credit
bureaus and receive up to six free credit reports annually. The
Department's website at http://www.va.gov. documents the
actions taken by the Secretary in this regard and advises
veterans how to place a fraud alert with, and obtain free
credit reports from, the credit bureaus. For these reasons,
H.R. 5455 is unnecessary.

h.r. 5464

H.R. 5464, the ``Veterans Identity Protection Act,'' would
require VA to: (1) provide detailed notification to each
veteran whose personal information was included in the data
breach; and (2) include a form for the veteran to elect to
receive a free credit report once every three months for the
year following notification and free credit monitoring for that
year also. The bill also would limit the funds available to
Office of the Secretary to 90 percent of the funds otherwise
available if the 16 information security recommendations of
VA's Inspector General are not fully implemented by January 1,
2007. The bill would limit the funds otherwise available to the
Office of the Secretary by 10 percent in subsequent fiscal
years, after January 1, 2007, for any information security
recommendation not fully implemented.
VA supports the underlying intent of H.R. 5464, but cannot
support the bill. In addition to the actions already discussed,
VA is taking steps to implement the 16 information security
recommendations. The Secretary has established an Information
Security Task Force composed of senior officials and has hired
a Special Advisor on Information Security. Working together
with the Chief Information Officer of the Department, these
individuals will implement the recommendations. For these
reasons, we believe that H.R. 5464 too is unnecessary.

h.r. 5467

H.R. 5467, the ``Veterans Identity Security Act of 2006,''
would establish criminal penalties for knowingly disclosing
without authorization records containing personal information
about veterans. The bill would amend title 38, United States
Code, by adding a new section 5706 applicable to officers,
employees, contractors, and volunteers of the Department who
disclose personal information without lawful authorization. The
bill defines personal information as ``name, date of birth,
address, phone number, Social Security number, and (if
applicable) disability rating.'' Penalties range from fines to
imprisonment for up ten years when there is intent to sell,
transfer, or use the personal information for commercial
advantage, personal gain or malicious harm.
VA has no objection to the intent of H.R. 5467 but has
several technical suggestions for improving its drafting and
coverage. We would be happy to discuss these with Committee
staff at its convenience.

h.r. 5487

H.R. 5487, the ``Veterans' ID Theft Protection Act of
2006,'' would also require VA to notify any person affected by
the breach, but also to notify consumer reporting agencies and
appropriate third parties who may be required to act in a
manner to further protect affected persons from fraud or
identity theft. The notice specifications must include details
of the breach, current safeguards of personal information,
contact information for the Department, information provided by
the Federal Trade Commission (FTC) regarding identity theft,
information on obtaining a copy of a consumer's credit report
free of charge and other information regarding placing a fraud
alert on one's file and contact information for the FTC. The
bill also would require the Department to offer affected
persons free credit monitoring service, at their request, for
not less than six months, and to take prompt and reasonable
measures to repair the data breach that would improve the data
security policies and procedures.
For reasons already discussed, H.R. 5487 is unnecessary.

h.r. 5490

H.R. 5490, the ``Veterans Identification Protection Act,''
would require the Department of Veterans Affairs to: (1)
provide a four-digit personal identification number (PIN) for
each veteran who receives or applies for VA benefits, and (2)
take steps to provide that any entity entering into a
commercial transaction with a veteran that ``includes the
extension to the veteran of credit, a loan, or any other thing
of value'' shall verify the veteran's identity through the PIN
established. Any entity that is required to so verify a
veteran's identity, but fails to, would be liable to that
individual for all attorney fees and injuries incurred by that
individual resulting from that failure.
VA does not support H.R. 5490. VA understands that the
current level of security as recommended by the National
Institute of Standards and Technology and other security
experts requires a PIN number with more than four digits.
However, even if the bill were amended in this regard, VA would
be opposed to the requirement that the Secretary provide,
assign, monitor, or validate any universal PIN number
exclusively for the use of veterans in commercial enterprises.
The bill is unclear about the commercial enterprises to be
covered. For example, there is no distinction made between
commercial activities with a VA involvement (such as a home
loan guarantee) and other commercial activities a veteran may
be involved with that have no VA connection.

h.r. 5577

H.R. 5577, the ``Veterans Identity Protection Act of
2006,'' is intended to enhance the protection from disclosure
of VA records containing personal identifying information that
is required by law to be confidential and privileged.
It would require the Department to establish an Office of
Identity Protection, administered by a Director who shall be
appointed by the Secretary. The Office would notify each
individual whose personal information has been lost or
compromised, provide him or her with one credit report every
six months for three years at no charge, offer a 24-hour toll-
free telephone number and a web site to provide information
regarding credit reporting services, ensure that active-duty
military personnel have access to credit reporting services,
make information available on possible fraudulent consumer
credit or reporting services that may be targeted at affected
veterans and service members and notify the Department of
Justice and the FTC immediately when personal data in VA
records may have been compromised. Furthermore, the Act would
require the VA Inspector General (IG) to conduct a study of the
data-security practices at VA and submit a report not later
than six months after the date of the law's enactment to the
Senate and House Committees on Veterans' Affairs. Finally the
Act would impose criminal penalties of a fine or imprisonment
on any VA employee who removes records from VA custody without
proper authorization.
VA supports the underlying purposes of H.R. 5577, but
cannot support the bill. In addition to the ameliorative
actions already discussed, VA has provided a toll-free
telephone number and a section on the Department's web site
with information for those individuals seeking assistance, and
established an Information Security Task Force to improve data
security. While the Information Security Task Force will
consider administrative alignments to enhance data security
protections, there does not appear to be a need for a separate
administrative Office of Identity Protection at this time. And,
as already noted, FCRA already provides up to three free credit
reports annually, and up to another three annually when an
initial fraud alert is placed. For these reasons, we do not
believe that these provisions are necessary.
The requirement for the VA IG to report on the Department's
progress in implementing data security improvements within six
months after the law's enactment would not allow sufficient
time for the Department to address corrective actions before
the report must be submitted. Furthermore, the VA Inspector
General regularly issues reports about data security practices
within VA in Federal Information Security Management Act
(FISMA) audits and consolidated financial statement audits
performed annually. There does not appear to be a need for
additional reports in this area.
In addition, the criminal penalty provision is not
sufficiently specific for enforcement purposes. In particular,
the bill does not specify whether ``remove from the custody of
VA,'' refers to removal from the ``custody of a VA employee''
or any removal from a ``VA worksite.'' H.R. 5577 also does not
consider the reality that files leave the worksite every day
for legitimate purposes, nor does it identify the specific part
of title 18 that would provide for the fines imposed for such
action. We could support enactment of the additional criminal
penalties in H.R. 5467 if those provisions were amended as
discussed above.

h.r. 5588

H.R. 5588, the ``Comprehensive Veterans'' Data Protection
and Identity Theft Prevention Act of 2006,'' would require the
Secretary of Veterans Affairs to: (1) issue policies and
procedures to safeguard sensitive personal information before
the end of the 90-day period beginning on the date of the
enactment of the Act; (2) notify the Secret Service, VA IG,
Senate and House Committees on Veterans' Affairs, the FTC, and
the affected individual of any breach: (3) place fraud alerts
or security freezes in the credit file of affected individuals;
(4) provide affected individuals with credit monitoring
services; and (5) establish the position of an Ombudsman for
Data Security within the Department to provide information and
assistance to such individuals.
In light of the ameliorative actions outlined above, VA
does not believe that H.R. 5588 is necessary and does not
support enactment.

h.r. 5636

H.R. 5636, the ``Social Security Numbers Privacy and
Protection Act,'' would require: (1) the alteration of
selective service reminder mailback cards; and (2) the
elimination and prohibition of social security account numbers
from Medicare, Medicaid, and SCHIP- and VA-issued health care
identification cards by the end of the two-year period after
the enactment of the Act.
VA supports alternative methods for the identification of
veterans for the purpose of providing health care or other
benefits available under Title 38. To that end, VA has already
removed the social security numbers from the Veterans
Identification Cards known as VIC cards and is therefore
already in compliance with the bill. With respect to Medicare,
Medicaid, and SCHIP programs, the Department of Health and
Human Services advises us that instituting a new number for use
on the identity cards used for these programs would entail
substantial expense and require a substantially longer time
than allowed by the bill. They are continuing to work on these
efforts. Therefore, we believe that enactment of H.R. 5636
would not be productive.

conclusion

As I have indicated, VA already has implemented many of the
provisions of the various bills that provide, among other
things, stronger safeguards to protect against data breaches
within the Department. VA is strongly committed to providing
all available protections to the safety and security of
personal information of all veterans' and their beneficiaries.
As we continue to work on improvements in our systems and
procedures, we will be pleased to work with your Committee in
fostering methods to achieve a level of information security
that is responsible and necessary.

Congressional Budget Office Cost Estimate

The following letter was received from the Congressional
Budget Office concerning the cost of the reported bill:

U.S. Congress,
Congressional Budget Office,
Washington, DC, July 28, 2006.
Hon. Steve Buyer,
Chairman, Committee on Veterans' Affairs,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 5835, the Veterans
Identity and Credit Security Act of 2006.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Sam
Papenfuss.
Sincerely,
Donald B. Marron,
Acting Director.
Enclosure.

H.R. 5835--Veterans Identity and Credit Security Act of 2006

Summary: H.R. 5835 would create a new Office of the Under
Secretary for Information Services within the Department of
Veterans Affairs (VA). The bill also would require VA to notify
affected individuals when sensitive, personal information held
by VA is lost, stolen, or otherwise compromised. Additionally,
if the Secretary of VA determines there is a risk that the
compromised information could be used in a criminal manner, VA
would be required to provide services to alleviate any loss
those individuals might suffer. Furthermore, H.R. 5835 would
require contractors to pay damages to VA if the compromised
information was under the contractors' control and would allow
VA to spend those receipts without further appropriation
action. Finally, the bill would allow VA to provide
scholarships and pay school debts for individuals pursuing a
doctoral degree in computer science or related fields who agree
to work for VA.
CBO estimates that implementing H.R. 5835 would cost $5
million in 2007 and about $50 million over the 2007-2011
period, assuming appropriation of the estimated amounts.
However, if VA were to experience another data breach similar
to the recent incident involving personal information on 17
million individuals, the cost could be as much as $1 billion.
Under the bill, VA would be authorized to collect and spend
certain receipts, but CBO estimates that the net effect of
those receipts on the federal budget would be insignificant.
H.R. 5835 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act (UMRA)
and would not affect the budgets of state, local, or tribal
governments.
Estimated cost to the Federal Government: The estimated
budgetary impact of H.R. 5835 is shown in the following table.
The costs of this legislation fall within budget function 700
(veterans benefits and services).

----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-----------------------------------------------------
2006 2007 2008 2009 2010 2011
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION

Credit-Protection Services:
Estimated Authorization Level......................... 0 9 10 10 10 11
Estimated Outlays..................................... 0 5 9 10 10 11
Scholarships and Debt Reduction:
Estimated Authorization Level......................... 0 (*) 1 1 1 1
Estimated Outlays..................................... 0 (*) 1 1 1 1
Total Changes in Spending Under H.R. 5835:
Estimated Authorization Level......................... 0 9 11 11 11 12
Estimated Outlays..................................... 0 5 10 11 11 12
----------------------------------------------------------------------------------------------------------------
Note.--* = less than $500,000.

Basis of estimate: For the purposes of this estimate, CBO
assumes that the bill will be enacted near the start of fiscal
year 2007 and that the estimated amounts will be appropriated
for each year.

Spending subject to appropriation

Assuming appropriation of the estimated amounts,
implementing H.R. 5835 would cost $5 million in 2007 and about
$50 million over the 2007-2011 period, CBO estimates. This
spending would be for credit-protection services for certain
veterans and for scholarships and debt-reduction grants
provided to current and future VA employees.
Credit-Protection Services. H.R. 4835 would require VA to
notify individuals and provide them with certain services when
their sensitive, personal information is lost, stolen, or
otherwise compromised, while in VA's possession. All of those
services would be provided at no cost to those individuals.
Initially, VA would have to:
Notify all affected individuals of the lost
or compromised data,
Inform those individuals of the steps VA is
taking to remedy the problem,
Explain to each individual the advantages
and disadvantages of requesting a fraud alert and a
credit security freeze from the major credit-reporting
agencies, and
Contract with the credit-reporting agencies
to implement a security freeze of the file of each
affected individual who requests it.
If the Secretary of VA determines there is a reasonable
risk that the compromised data could be misused, the department
would have to provide an additional notification detailing the
availability of credit-protection services. Under the bill, VA
would contract with one of the principal credit-reporting
agencies to provide affected individuals credit-protection
services that include:
A credit report every three months,
Services to assist in rehabilitating the
individual's credit in the event of identity theft, and
Identity theft insurance of up to $30,000
that would cover the damages of identity theft,
including travel costs, legal fees, and lost wages.
Based on publicly available information on the recent loss
of personal information by government agencies (including VA),
CBO estimates that VA could be expected to experience an
average of three incidents a year in which sensitive, personal
information is compromised in some manner. Excluding the
incident that occurred on May 3, 2006, when a computer with
information on more than 17 million people was stolen, the
average number of people affected by a data breach has been
about 50,000. Based on information from VA, CBO expects that
the cost of notifying individuals in the event of such data
breaches would generally be less than $500,000 a year.
Using information from a Federal Trade Commission survey
report on identity theft, CBO estimates that 10 percent to 15
percent of those individuals who have their personal
information compromised might have problems with identity theft
and experience a loss. CBO estimates that, in 2007, such a loss
would, on average, amount to about $450. Thus, CBO estimates
that requiring VA to provide insurance and fraud-resolution
services to individuals who have had their personal information
compromised would cost about $10 million a year, on average,
assuming appropriation of the necessary amounts. CBO projects
that outlays would be $5 million in 2007 and about $45 million
over the 2007-2011 period. (If VA were to experience another
data breach where information for more than 17 million people
were to be compromised, the cost for such an incident could be
as high as $1 billion.)
Scholarship and Debt Reduction. H.R. 5835 also would
establish programs that would improve VA's ability to recruit
employees with skills in information security. The bill would
allow VA to pay tuition, fees, and a monthly stipend of $1,500
for individuals who are pursuing a doctoral degree in computer
science or a related field. Under the bill, VA could provide
the assistance for up to five years if those individuals agreed
to work at VA for twice as long as they received such
assistance. VA could offer up to five new scholarships each
year and could provide up to $50,000 a year or $200,000 per
scholarship for each individual.
In addition, H.R. 5835 would allow VA to establish an
education debt-reduction program as a recruitment tool to
attract individuals who completed a doctoral program in
computer science or a related field within the previous five
years. The bill would allow VA to pay up to $16,500 a year for
five years to eligible employees for repayment of loans related
to their doctoral degree. VA would be authorized to make such
payments to an additional five individuals each year.
Based on the amounts specified in the bill, CBO estimates
that implementing these provisions would cost less than
$500,000 in 2007 and about $4 million over the 2007-2011
period, assuming appropriation of the necessary amounts.

Direct spending

Section 4 of the bill would require that VA contractors who
have access to sensitive personal information pay damages to VA
in the event the personal data is compromised. Damages paid to
VA would be credited to the appropriation account under which
the contract was paid and would be available without fiscal
year limitation to pay for credit-protection services. Because
VA would be able to spend the funds collected under this
section, CBO estimates that enacting the bill would have no
significant net effect on direct spending in any year over the
2007-2016 period.
Intergovernmental and private-sector impact: H.R. 5835
contains no intergovernmental or private-sector mandates as
defined in UMRA and would not affect the budgets of state,
local, or tribal governments.
Estimated prepared by: Federal Costs: Sam Papenfuss. Impact
on State, Local, and Tribal Governments: Melissa Merrell.
Impact on the Private Sector: Allison Percy.
Estimate approved by: Robert A. Sunshine, Assistant
Director for Budget Analysis.

Statement of Federal Mandates

The preceding Congressional Budget Office (CBO) cost
estimate states that H.R. 5835, as amended, does not contain
any intergovernmental and private-sector mandates as defined in
the Unfunded Mandates Reform Act (UMRA), Public Law 104-4.

Statement of Constitutional Authority

Pursuant to Article I, section 8 of the United States
Constitution, the reported bill is authorized by Congress'
power to ``provide for the common Defense and general Welfare
of the United States.''

Changes in Existing Law Made by the Bill, as Reported

In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, existing law in which no change is
proposed is shown in roman):

CHAPTER 35 OF TITLE 44, UNITED STATES CODE

CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

* * * * * * *

SUBCHAPTER III--INFORMATION SECURITY

* * * * * * *

Sec. 3542. Definitions

(a) * * *
(b) Additional Definitions.--As used in this subchapter:
(1) * * *

* * * * * * *

(4) The term ``sensitive personal information'' means
any information contained in a record, as defined in
section 552a(4) of title 5.

* * * * * * *

Sec. 3543. Authority and functions of the Director

(a) In General.--The Director shall oversee agency
information security policies and practices, including--
(1) * * *

* * * * * * *

(7) overseeing the operation of the Federal
information security incident center required under
section 3546; [and]
(8) reporting to Congress no later than March 1 of
each year on agency compliance with the requirements of
this subchapter, including--
(A) * * *

* * * * * * *

(E) a summary of, and the views of the
Director on, the report prepared by the
National Institute of Standards and Technology
under section 20(d)(10) of the National
Institute of Standards and Technology Act (15
U.S.C. 278g-3)[.]; and
(9) establishing policies, procedures, and standards
for agencies to follow in the event of a breach of data
security involving the disclosure of sensitive personal
information in violation of section 552a of title 5,
including a requirement for timely notice to be given
to those individuals whose sensitive personal
information could be compromised as a result of such
breach, except no notice shall be required if the
breach does not create a reasonable risk of identity
theft, fraud, or other unlawful conduct regarding such
individual.

* * * * * * *

Sec. 3544. Federal agency responsibilities

(a) In General.--The head of each agency shall--
(1) * * *

* * * * * * *

(3) delegate to the agency Chief Information Officer
established under section 3506 (or comparable official
in an agency not covered by such section) the authority
to ensure compliance with and, to the extent determined
necessary and explicitly authorized by the head of the
agency, to enforce the requirements imposed on the
agency under this subchapter, including--
(A) * * *

* * * * * * *

(b) Agency Program.--Each agency shall develop, document, and
implement an agencywide information security program, approved
by the Director under section 3543(a)(5), to provide
information security for the information and information
systems that support the operations and assets of the agency,
including those provided or managed by another agency,
contractor, or other source, that includes--
(1) * * *

* * * * * * *

(7) procedures for detecting, reporting, and
responding to security incidents, consistent with
standards and guidelines issued pursuant to section
3546(b), including--
(A) * * *

* * * * * * *

(iii) any other agency or office, in
accordance with law or as directed by
the President; [and]
(8) plans and procedures to ensure continuity of
operations for information systems that support the
operations and assets of the agency[.]; and
(9) procedures for notifying individuals whose
sensitive personal information is compromised
consistent with policies, procedures, and standards
established under section 3543(a)(9) of this title.

* * * * * * *

----------

TITLE 38, UNITED STATES CODE

* * * * * * *

PART I--GENERAL PROVISIONS

Chapter Sec.
General........................................................101
* * * * * * *

PART V--BOARDS, ADMINISTRATIONS, AND SERVICES

Board of Veterans' Appeals....................................7101
* * * * * * *
7901Information Security Education Assistance Program.................

* * * * * * *

PART I--GENERAL PROVISIONS

* * * * * * *

CHAPTER 3--DEPARTMENT OF VETERANS AFFAIRS

Sec.
301. Department.
* * * * * * *
307A. Under Secretary for Information Services.
* * * * * * *

Sec. 307A. Under Secretary for Information Services

(a) Under Secretary.--There is in the Department an Under
Secretary for Information Services, who is appointed by the
President, by and with the advice and consent of the Senate.
The Under Secretary shall be the head of the Office of
Information Services and shall perform such functions as the
Secretary shall prescribe.
(b) Service as Chief Information Officer.--Notwithstanding
any other provision of law, the Under Secretary for Information
Services shall serve as the Chief Information Officer of the
Department under section 310 of this title.

Sec. 308. Assistant Secretaries; Deputy Assistant Secretaries

(a) * * *
(b) The Secretary shall assign to the Assistant Secretaries
responsibility for the administration of such functions and
duties as the Secretary considers appropriate, including the
following functions:
(1) * * *

* * * * * * *

[(5) Information management functions as required by
section 3506 of title 44.]
[(6)] (5) Capital facilities and real property
program functions.
[(7)] (6) Equal opportunity functions.
[(8)] (7) Functions regarding the investigation of
complaints of employment discrimination within the
Department.
[(9)] (8) Functions regarding intergovernmental,
public, and consumer information and affairs.
[(10)] (9) Procurement functions.
[(11)] (10) Operations, preparedness, security, and
law enforcement functions.

* * * * * * *

PART IV--GENERAL ADMINISTRATIVE PROVISIONS

* * * * * * *

CHAPTER 57--RECORDS AND INVESTIGATIONS

SUBCHAPTER I --RECORDS

Sec.
5701. Confidential nature of claims.
* * * * * * *

Subchapter III--Information Security

5721. Definitions.
5722. Office of the Under Secretary for Information Services.
5723. Information security management.
5724. Congressional reporting and notification of data breaches.
5725. Data breaches.
5726. Provision of credit protection services.
5727. Contracts for data processing or maintenance.
5728. Authorization of appropriations.

* * * * * * *

SUBCHAPTER III--INFORMATION SECURITY

Sec. 5721. Definitions

For the purposes of this subchapter:
(1) The term ``sensitive personal information'' means
the name, address, or telephone number of an
individual, in combination with any of the following:
(A) The Social Security number of the
individual.
(B) The date of birth of the individual.
(C) Any information not available as part of
the public record regarding the individual's
military service or health.
(D) Any financial account or other financial
information relating to the individual.
(E) The driver's license number or equivalent
State identification number of the individual.
(F) The deoxyribonucleic acid profile or
other unique biometric data of the individual,
including the fingerprint, voice print, retina
or iris image, or other unique physical
representation of the individual.
(2) The term ``data breach'' means the loss, theft,
or other unauthorized access to data containing
sensitive personal information, in electronic or
printed form, that results in the potential compromise
of the confidentiality or integrity of the data.
(3) The term ``data breach analysis'' means the
identification of any misuse of sensitive personal
information involved in a data breach.
(4) The term ``fraud resolution services'' means
services to assist an individual in the process of
recovering and rehabilitating the credit of the
individual after the individual experiences identity
theft.
(5) The term ``identity theft'' has the meaning given
such term under section 603 of the Fair Credit
Reporting Act (15 U.S.C. 1681a).
(6) The term ``identity theft insurance'' means any
insurance policy that pays benefits for costs,
including travel costs, notary fees, and postage costs,
lost wages, and legal fees and expenses associated with
the identity theft of the insured individual.
(7) The term ``principal credit reporting agency''
means a consumer reporting agency as described in
section 603(p) of the Fair Credit Reporting Act (15
U.S.C. 1681a(p)).

Sec. 5722. Office of the Under Secretary for Information Services

(a) Deputy Under Secretaries.--The Office of the Under
Secretary for Information Services shall consist of the
following:
(1) The Deputy Under Secretary for Information
Services for Security, who shall serve as the Senior
Information Security Officer of the Department.
(2) The Deputy Under Secretary for Information
Services for Operations and Management.
(3) The Deputy Under Secretary for Information
Services for Policy and Planning.
(b) Appointments.--Appointments under subsection (a) shall be
made by the Secretary, notwithstanding the limitations of
section 709 of this title.
(c) Qualifications.--At least one of positions established
and filled under subsection (a) shall be filled by an
individual who has at least five years of continuous service in
the Federal civil service in the executive branch immediately
preceding the appointment of the individual as a Deputy Under
Secretary. For purposes of determining such continuous service
of an individual, there shall be excluded any service by such
individual in a position--
(1) of a confidential, policy-determining, policy-
making, or policy-advocating character;
(2) in which such individual served as a noncareer
appointee in the Senior Executive Service, as such term
is defined in section 3132(a)(7) of title 5; or
(3) to which such individual was appointed by the
President.

Sec. 5723. Information security management

(a) Responsibilities of Chief Information Officer.--To
support the economical, efficient, and effective execution of
subtitle III of chapter 35 of title 44, and policies and plans
of the Department, the Secretary shall ensure that the Chief
Information Officer of the Department has the authority and
control necessary to develop, approve, implement, integrate,
and oversee the policies, procedures, processes, activities,
and systems of the Department relating to that subtitle,
including the management of all related mission applications,
information resources, personnel, and infrastructure.
(b) Annual Compliance Report.--Not later than March 1 of each
year, the Secretary shall submit to the Committees on Veterans'
Affairs of the Senate and House of Representatives, the
Committee on Government Reform of the House of Representatives,
and the Committee on Homeland Security and Governmental Affairs
of the Senate, a report on the Department's compliance with
subtitle III of chapter 35 of title 44. The information in such
report shall be displayed in the aggregate and separately for
each Administration, office, and facility of the Department.
(c) Reports to Secretary of Compliance Deficiencies.--(1) At
least once every month, the Chief Information Officer shall
report to the Secretary any deficiency in the compliance with
subtitle III of chapter 35 of title 44 of the Department or any
Administration, office, or facility of the Department.
(2) The Chief Information Officer shall immediately report to
the Secretary any significant deficiency in such compliance.
(d) Data Breaches.--(1) The Chief Information Officer shall
immediately provide notice to the Secretary of any data breach.
(2) Immediately after receiving notice of a data breach under
paragraph (1), the Secretary shall provide notice of such
breach to the Director of the Office of Management and Budget,
the Inspector General of the Department, and, if appropriate,
the Federal Trade Commission and the United States Secret
Service.
(e) Budgetary Matters.--When the budget for any fiscal year
is submitted by the President to Congress under section 1105 of
title 31, the Secretary shall submit to Congress a report that
identifies amounts requested for Department implementation and
remediation of and compliance with this subchapter and subtitle
III of chapter 35 of title 44. The report shall set forth those
amounts both for each Administration within the Department and
for the Department in the aggregate and shall identify, for
each such amount, how that amount is aligned with and supports
such implementation and compliance.

Sec. 5724. Congressional reporting and notification of data breaches

(a) Quarterly Reports.--(1) Not later than 30 days after the
last day of a fiscal quarter, the Secretary shall submit to the
Committees on Veterans' Affairs of the Senate and House of
Representatives a report on any data breach with respect to
sensitive personal information processed or maintained by the
Department that occurred during that quarter.
(2) Each report submitted under paragraph (1) shall identify,
for each data breach covered by the report, the Administration
and facility of the Department responsible for processing or
maintaining the sensitive personal information involved in the
data breach.
(b) Notification of Significant Data Breaches.--(1) In the
event of a data breach with respect to sensitive personal
information processed or maintained by the Secretary that the
Secretary determines is significant, the Secretary shall
provide notice of such breach to the Committees on Veterans'
Affairs of the Senate and House of Representatives.
(2) Notice under paragraph (1) shall be provided promptly
following the discovery of such a data breach and the
implementation of any measures necessary to determine the scope
of the breach, prevent any further breach or unauthorized
disclosures, and reasonably restore the integrity of the data
system.

Sec. 5725. Data breaches

(a) Independent Risk Analysis.--(1) In the event of a data
breach with respect to sensitive personal information that is
processed or maintained by the Secretary, the Secretary shall
ensure that, as soon as possible after the data breach, a non-
Department entity conducts an independent risk analysis of the
data breach to determine the level of risk associated with the
data breach for the potential misuse of any sensitive personal
information involved in the data breach.
(2) If the Secretary determines, based on the findings of a
risk analysis conducted under paragraph (1), that a reasonable
risk exists for the potential misuse of sensitive information
involved in a data breach, the Secretary shall provide credit
protection services in accordance with section 5726 of this
title.
(b) Notification.--(1) In the event of a data breach with
respect to sensitive personal information that is processed or
maintained by the Secretary, the Secretary shall provide to an
individual whose sensitive personal information is involved in
that breach notice of the data breach--
(A) in writing; or
(B) by email, if--
(i) the Department's primary method of
communication with the individual is by email;
and
(ii) the individual has consented to receive
such notification.
(2) Notice provided under paragraph (1) shall--
(A) describe the circumstances of the data breach and
the risk that the breach could lead to misuse,
including identity theft, involving the sensitive
personal information of the individual;
(B) describe the specific types of sensitive personal
information that was compromised as a part of the data
breach;
(C) describe the actions the Department is taking to
remedy the data breach;
(D) inform the individual that the individual may
request a fraud alert and credit security freeze under
this section;
(E) clearly explain the advantages and disadvantages
to the individual of receiving fraud alerts and credit
security freezes under this section; and
(F) includes such other information as the Secretary
determines is appropriate.
(3) The notice required under paragraph (1) shall be provided
promptly following the discovery of a data breach and the
implementation of any measures necessary to determine the scope
of the breach, prevent any further breach or unauthorized
disclosures, and reasonably restore the integrity of the data
system.
(c) Report.--For each data breach with respect to sensitive
personal information processed or maintained by the Secretary,
the Secretary shall promptly submit to the Committees on
Veterans' Affairs of the Senate and House of Representatives a
report containing the findings of any independent risk analysis
conducted under subsection (a)(1), any determination of the
Secretary under subsection (a)(2), and a description of any
credit protection services provided under section 5726 of this
title.
(d) Final Determination.--Notwithstanding sections 511 and
7104(a) of this title, any determination of the Secretary under
subsection (a)(2) with respect to the reasonable risk for the
potential misuse of sensitive information involved in a data
breach is final and conclusive and may not be reviewed by any
other official, administrative body, or court, whether by an
action in the nature of mandamus or otherwise.
(e) Fraud Alerts.--(1) In the event of a data breach with
respect to sensitive personal information that is processed or
maintained by the Secretary, the Secretary shall arrange, upon
the request of an individual whose sensitive personal
information is involved in the breach to a principal credit
reporting agency with which the Secretary has entered into a
contract under section 5726(d) and at no cost to the
individual, for the principal credit reporting agency to
provide fraud alert services for that individual for a period
of not less than one year, beginning on the date of such
request, unless the individual requests that such fraud alert
be removed before the end of such period, and the agency
receives appropriate proof of the identity of the individual
for such purpose.
(2) The Secretary shall arrange for each principal credit
reporting agency referred to in paragraph (1) to provide any
alert requested under such subsection in the file of the
individual along with any credit score generated in using that
file, for a period of not less than one year, beginning on the
date of such request, unless the individual requests that such
fraud alert be removed before the end of such period, and the
agency receives appropriate proof of the identity of the
individual for such purpose.
(f) Credit Security Freeze.--(1) In the event of a data
breach with respect to sensitive personal information that is
processed or maintained by the Secretary, the Secretary shall
arrange, upon the request of an individual whose sensitive
personal information is involved in the breach and at no cost
to the individual, for each principal credit reporting agency
to apply a security freeze to the file of that individual for a
period of not less than one year, beginning on the date of such
request, unless the individual requests that such security
freeze be removed before the end of such period, and the agency
receives appropriate proof of the identity of the individual
for such purpose.
(2) The Secretary shall arrange for a principal credit
reporting agency applying a security freeze under paragraph
(1)--
(A) to send a written confirmation of the security
freeze to the individual within five business days of
applying the freeze;
(B) to refer the information regarding the security
freeze to other consumer reporting agencies;
(C) to provide the individual with a unique personal
identification number or password to be used by the
individual when providing authorization for the release
of the individual's credit for a specific party or
period of time; and
(D) upon the request of the individual, to
temporarily lift the freeze for a period of time
specified by the individual, beginning not later than
three business days after the date on which the agency
receives the request.

Sec. 5726. Provision of credit protection services

(a) Covered Individual.--For purposes of this section, a
covered individual is an individual whose sensitive personal
information that is processed or maintained by the Department
(or any third-party entity acting on behalf of the Department)
is involved, on or after August 1, 2005, in a data breach for
which the Secretary determines a reasonable risk exists for the
potential misuse of sensitive personal information under
section 5725(a)(2) of this title.
(b) Notification.--(1) In addition to any notice required
under subsection 5725(b) of this title, the Secretary shall
provide to a covered individual notice in writing that--
(A) the individual may request credit protection
services under this section;
(B) clearly explains the advantages and disadvantages
to the individual of receiving credit protection
services under this section;
(C) includes a notice of which principal credit
reporting agency the Secretary has entered into a
contract with under subsection (d), and information
about requesting services through that agency;
(D) describes actions the individual can or should
take to reduce the risk of identity theft; and
(E) includes such other information as the Secretary
determines is appropriate.
(2) The notice required under paragraph (1) shall be made as
promptly as possible and without unreasonable delay following
the discovery of a data breach for which the Secretary
determines a reasonable risk exists for the potential misuse of
sensitive personal information under section 5725(a)(2) of this
title and the implementation of any measures necessary to
determine the scope of the breach, prevent any further breach
or unauthorized disclosures, and reasonably restore the
integrity of the data system.
(3) The Secretary shall ensure that each notification under
paragraph (1) includes a form or other means for readily
requesting the credit protection services under this section.
Such form or other means may include a telephone number, email
address, or Internet website address.
(c) Availability of Services Through Other Government
Agencies.--If a service required to be provided under this
section is available to a covered individual through another
department or agency of the Government, the Secretary and the
head of that department or agency may enter into an agreement
under which the head of that department or agency agrees to
provide that service to the covered individual.
(d) Contract With Credit Reporting Agency.--Subject to the
availability of appropriations and notwithstanding any other
provision of law, the Secretary shall enter into contracts or
other agreements as necessary with one or more principal credit
reporting agencies in order to ensure, in advance, the
provision of credit protection services under this section and
fraud alerts and security freezes under section 5725 of this
title. Any such contract or agreement may include provisions
for the Secretary to pay the expenses of such a credit
reporting agency for the provision of such services.
(e) Data Breach Analysis.--The Secretary shall arrange, upon
the request of a covered individual and at no cost to the
individual, to provide data breach analysis for the individual
for a period of not less than one year, beginning on the date
of such request.
(f) Provision of Credit Monitoring Services and Identity
Theft Insurance.--During the one-year period beginning on the
date on which the Secretary notifies a covered individual that
the individual's sensitive personal information is involved in
a data breach, the Secretary shall arrange, upon the request of
the individual and without charge to the individual, for the
provision of credit monitoring services to the individual.
Credit monitoring services under this subsection shall include
each of the following:
(1) One copy of the credit report of the individual
every three months.
(2) Fraud resolution services for the individual.
(3) Identity theft insurance in a coverage amount
that does not exceed $30,000 in aggregate liability for
the insured.

Sec. 5727. Contracts for data processing or maintenance

(a) Contract Requirements.--If the Secretary enters into a
contract for the performance of any Department function that
requires access to sensitive personal information, the
Secretary shall require as a condition of the contract that--
(1) the contractor shall not, directly or through an
affiliate of the contractor, disclose such information
to any other person unless the disclosure is lawful and
is expressly permitted under the contract;
(2) the contractor, or any subcontractor for a
subcontract of the contract, shall promptly notify the
Secretary of any data breach that occurs with respect
to such information.
(b) Liquidated Damages.--Each contract subject to the
requirements of subsection (a) shall provide for liquidated
damages to be paid by the contractor to the Secretary in the
event of a data breach with respect to any sensitive personal
information processed or maintained by the contractor or any
subcontractor under that contract.
(c) Provision of Credit Protection Services.--Any amount
collected by the Secretary under subsection (b) shall be
deposited in or credited to the Department account from which
the contractor was paid and shall remain available for
obligation without fiscal year limitation exclusively for the
purpose of providing credit protection services in accordance
with section 5726 of this title.

Sec. 5728. Authorization of appropriations

There are authorized to be appropriated to carry out this
subchapter such sums as may be necessary for each fiscal year.

* * * * * * *

PART V--BOARDS, ADMINISTRATIONS, AND SERVICES

Chapter Sec.
Board of Veterans' Appeals....................................7101
* * * * * * *
7901Information Security Education Assistance Program.................

* * * * * * *

CHAPTER 79--INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM

Sec.
7901. Programs; purpose.
7902. Scholarship program.
7903. Education debt reduction program.
7904. Preferences in awarding financial assistance.
7905. Requirement of honorable discharge for veterans receiving
assistance.
7906. Regulations.
7907. Termination.

Sec. 7901. Programs; purpose

(a) In General.--To encourage the recruitment and retention
of Department personnel who have the information security
skills necessary to meet Department requirements, the Secretary
shall carry out programs in accordance with this chapter to
provide financial support for education in computer science and
electrical and computer engineering at accredited institutions
of higher education.
(b) Types of Programs.--The programs authorized under this
chapter are as follows:
(1) Scholarships for pursuit of doctoral degrees in
computer science and electrical and computer
engineering at accredited institutions of higher
education.
(2) Education debt reduction for Department personnel
who hold doctoral degrees in computer science and
electrical and computer engineering at accredited
institutions of higher education.

Sec. 7902. Scholarship program

(a) Authority.--(1) Subject to the availability of
appropriations, the Secretary shall establish a scholarship
program under which the Secretary shall, subject to subsection
(d), provide financial assistance in accordance with this
section to a qualified person--
(A) who is pursuing a doctoral degree in computer
science or electrical or computer engineering at an
accredited institution of higher education; and
(B) who enters into an agreement with the Secretary
as described in subsection (b).
(2)(A) Except as provided under subparagraph (B), the
Secretary may provide financial assistance under this section
to an individual for up to five years.
(B) The Secretary may waive the limitation under subparagraph
(A) if the Secretary determines that such a waiver is
appropriate.
(3)(A) The Secretary may award up to five scholarships for
any academic year to individuals who did not receive assistance
under this section for the preceding academic year.
(B) Not more than one scholarship awarded under subparagraph
(A) may be awarded to an individual who is an employee of the
Department when the scholarship is awarded.
(b) Service Agreement for Scholarship Recipients.--(1) To
receive financial assistance under this section an individual
shall enter into an agreement to accept and continue employment
in the Department for the period of obligated service
determined under paragraph (2).
(2) For the purposes of this subsection, the period of
obligated service for a recipient of financial assistance under
this section shall be the period determined by the Secretary as
being appropriate to obtain adequate service in exchange for
the financial assistance and otherwise to achieve the goals set
forth in section 7901(a) of this title. In no event may the
period of service required of a recipient be less than the
period equal to two times the total period of pursuit of a
degree for which the Secretary agrees to provide the recipient
with financial assistance under this section. The period of
obligated service is in addition to any other period for which
the recipient is obligated to serve on active duty or in the
civil service, as the case may be.
(3) An agreement entered into under this section by a person
pursuing an doctoral degree shall include terms that provide
the following:
(A) That the period of obligated service begins on a
date after the award of the degree that is determined
under the regulations prescribed under section 7906 of
this title.
(B) That the individual will maintain satisfactory
academic progress, as determined in accordance with
those regulations, and that failure to maintain such
progress constitutes grounds for termination of the
financial assistance for the individual under this
section.
(C) Any other terms and conditions that the Secretary
determines appropriate for carrying out this section.
(c) Amount of Assistance.--(1) The amount of the financial
assistance provided for an individual under this section shall
be the amount determined by the Secretary as being necessary to
pay--
(A) the tuition and fees of the individual; and
(B) $1500 to the individual each month (including a
month between academic semesters or terms leading to
the degree for which such assistance is provided or
during which the individual is not enrolled in a course
of education but is pursuing independent research
leading to such degree) for books, laboratory expenses,
and expenses of room and board.
(2) In no case may the amount of assistance provided for an
individual under this section for an academic year exceed
$50,000.
(3) In no case may the total amount of assistance provided
for an individual under this section exceed $200,000.
(4) Notwithstanding any other provision of law, financial
assistance paid an individual under this section shall not be
considered as income or resources in determining eligibility
for, or the amount of benefits under, any Federal or federally
assisted program.
(d) Repayment for Period of Unserved Obligated Service.--(1)
An individual who receives financial assistance under this
section shall repay to the Secretary an amount equal to the
unearned portion of the financial assistance if the individual
fails to satisfy the requirements of the service agreement
entered into under subsection (b), except in certain
circumstances authorized by the Secretary.
(2) The Secretary may establish, by regulations, procedures
for determining the amount of the repayment required under this
subsection and the circumstances under which an exception to
the required repayment may be granted.
(3) An obligation to repay the Secretary under this
subsection is, for all purposes, a debt owed the United States.
A discharge in bankruptcy under title 11 does not discharge a
person from such debt if the discharge order is entered less
than five years after the date of the termination of the
agreement or contract on which the debt is based.
(e) Waiver or Suspension of Compliance.--The Secretary shall
prescribe regulations providing for the waiver or suspension of
any obligation of a individual for service or payment under
this section (or an agreement under this section) whenever
noncompliance by the individual is due to circumstances beyond
the control of the individual or whenever the Secretary
determines that the waiver or suspension of compliance is in
the best interest of the United States.
(f) Internships.--(1) The Secretary may offer a compensated
internship to an individual for whom financial assistance is
provided under this section during a period between academic
semesters or terms leading to the degree for which such
assistance is provided. Compensation provided for such an
internship shall be in addition to the financial assistance
provided under this section.
(2) An internship under this subsection shall not be counted
toward satisfying a period of obligated service under this
section.
(g) Ineligibility of Individuals Receiving Certain Education
Assistance Payments.--An individual who receives a payment of
educational assistance under chapter 30, 31, 32, 34, or 35 of
this title or chapter 1606 or 1607 of title 10 for a month in
which the individual is enrolled in a course of education
leading to a doctoral degree in information security is not
eligible to receive financial assistance under this section for
that month.

Sec. 7903. Education debt reduction program

(a) Authority.--(1) Subject to the availability of
appropriations, the Secretary shall establish an education debt
reduction program under which the Secretary shall make
education debt reduction payments under this section to
qualified individuals eligible under subsection (b) for the
purpose of reimbursing such individuals for payments by such
individuals of principal and interest on loans described in
paragraph (2) of that subsection.
(2)(A) For each fiscal year, the Secretary may accept up to
five individuals into the program established under paragraph
(1)who did not receive such a payment during the preceding
fiscal year.
(B) Not more than one individual accepted into the program
for a fiscal year under subsection (A) shall be a Department
employee as of the date on which the individual is accepted
into the program.
(b) Eligibility.--An individual is eligible to participate in
the program under this section if the individual--
(1) has completed a doctoral degree a doctoral degree
in computer science or electrical or computer
engineering at an accredited institution of higher
education during the five-year period preceding the
date on which the individual is hired;
(2) is an employee of the Department who serves in a
position related to information security (as determined
by the Secretary); and
(3) owes any amount of principal or interest under a
loan, the proceeds of which were used by or on behalf
of that individual to pay costs relating to a doctoral
degree in computer science or electrical or computer
engineering at an accredited institution of higher
education.
(c) Amount of Assistance.--(1) Subject to paragraph (2), the
amount of education debt reduction payments made to an
individual under this section may not exceed $82,500 over a
total of five years, of which not more than $16,500 of such
payments may be made in each year.
(2) The total amount payable to an individual under this
section for any year may not exceed the amount of the principal
and interest on loans referred to in subsection (b)(3) that is
paid by the individual during such year.
(d) Payments.--(1) The Secretary shall make education debt
reduction payments under this section on an annual basis.
(2) The Secretary shall make such a payment--
(A) on the last day of the one-year period beginning
on the date on which the individual is accepted into
the program established under subsection (a); or
(B) in the case of an individual who received a
payment under this section for the preceding fiscal
year, on the last day of the one-year period beginning
on the date on which the individual last received such
a payment.
(3) Notwithstanding any other provision of law, education
debt reduction payments under this section shall not be
considered as income or resources in determining eligibility
for, or the amount of benefits under, any Federal or federally
assisted program.
(e) Performance Requirement.--The Secretary may make
education debt reduction payments to an individual under this
section for a year only if the Secretary determines that the
individual maintained an acceptable level of performance in the
position or positions served by the individual during the year.
(f) Notification of Terms of Provision of Payments.--The
Secretary shall provide to an individual who receives a payment
under this section notice in writing of the terms and
conditions that apply to such a payment.
(g) Covered Costs.--For purposes of subsection (b)(3), costs
relating to a course of education or training include--
(1) ) tuition expenses; and
(2) all other reasonable educational expenses,
including fees, books, and laboratory expenses;

Sec. 7904. Preferences in awarding financial assistance

In awarding financial assistance under this chapter, the
Secretary shall give a preference to qualified individuals who
are otherwise eligible to receive the financial assistance in
the following order of priority:
(1) Veterans with service-connected disabilities.
(2) Veterans.
(3) Persons described in section 4215(a)(1)(B) of
this title.
(4) Individuals who received or are pursuing degrees
at institutions designated by the National Security
Agency as Centers of Academic Excellence in Information
Assurance Education.
(5) Citizens of the United States.

Sec. 7905. Requirement of honorable discharge for veterans receiving
assistance

No veteran shall receive financial assistance under this
chapter unless the veteran was discharged from the Armed Forces
under honorable conditions.

Sec. 7906. Regulations

The Secretary shall prescribe regulations for the
administration of this chapter.

Sec. 7907. Termination

The authority of the Secretary to make a payment under this
chapter shall terminate on July 31, 2017.

* * * * * * *