The Privacy Act of 1974

Data breaches are becoming one of government’s highest IT concerns.  It is no longer a question of IF, but WHEN a data breach will occur.  According to an April 2014 GAO report titled “Information Security - Agencies Need to Improve Cyber Incident Response Practices”, security incidents at Federal Agencies that have involved the probable exposure of citizens’ personal information have increased from 10,400 to 25,500 plus, between 2009 and 2013.  This increase has Federal Agencies turning to the requirements set forth in the Privacy Act of 1974.

Overview of The Privacy Act of 1974

The Privacy Act of 1974, 5 U.S.C. § 552a (2006), which has been in effect since September 27, 1975, can generally be characterized as an omnibus “code of fair information practices” that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies.   Broadly stated, the purpose of the Privacy Act is to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information about them.  The Privacy Act focuses on four basic policy objectives:

1. To restrict disclosure of personally identifiable records maintained by agencies.
2. To grant individuals increased rights of access to agency records maintained on themselves.
3. To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete.
4. To establish a code of "fair information practices" which requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.

The Privacy Act applies to records that are stored in a “system of records.” The Privacy Act defines a “system of records” as “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” There are several exceptions to the Privacy Act. For one thing, government agencies that are engaged in law enforcement can excuse themselves from the Act's requirements.

How Does It Apply to Data Breaches?

Data breaches are inescapable and agencies are storing more and more personal information and data. This information is vulnerable, is sought after by Hackers and malicious insiders, and Federal Agencies are beginning to increase cybersecurity training and infrastructure to protect the data.  The Privacy Act of 1974 is a significant law for Federal Agencies.  They need to not only look to implement cybersecurity best practices, but also prepare for the unavoidable and develop incident response plans around how to help notify and restore public and employee trust when a data breach occurs.