April 22, 2014
As ordered reported by the House Committee on Oversight and Government Reform on March 12, 2014
CBO estimates that enacting H.R. 3635 would have no significant effect on the federal budget. The legislation would amend federal laws that protect the privacy of personally identifiable information collected by the government. Personally identifiable information includes any information that identifies an individual such as name, Social Security number, and medical or financial records. The legislation would prohibit an agency from deploying a new website until the agency’s Chief Information Officer certifies that all such information is safe and secure. Existing federal websites would have 90 days following enactment of H.R. 3635 to comply with this requirement. The legislation also would require the Office of Management and Budget (OMB) to issue policies and procedures for agencies to follow in the event of a security breach of a federal data system that contains personally identifiable information.
No single federal law or regulation governs the security of all types of sensitive personal information collected by federal agencies. The Federal Information Security Management Act requires each federal agency to develop, document, and implement an agencywide security program for sensitive information. The Privacy Act of 1974 governs the collection, use, and dissemination by federal agencies of personal records. OMB’s “Breach Notification Policy” requires all agencies to implement a policy to safeguard personally identifiable information and to provide notification of a security breach.
Because those laws and policies regarding the security of personally identifiable information are already in place, CBO estimates that the cost of certifying the safety of information collected by federal websites would be less than $500,000 over the next five years. Enacting the bill could affect direct spending by agencies not funded through annual appropriations; therefore, pay-as-you-go procedures apply. CBO estimates, however, that any net change in spending by those agencies would be negligible. Enacting the bill would not affect revenues.
H.R. 3635 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would impose no costs on state, local, or tribal governments.