Federal Election Commission (FEC): Regarding Reports Produced For Congress: 10/12/10 – Attachment...

8/8/2019 Federal Election Commission (FEC): Regarding Reports Produced For Congress: 10/12/10 Attachment 2

1/11

BEFORE THE FEDERAL ELECTION COMMISSION

In the Matter of

Privacy Act Report to Congress

CERTIFICATION

I, Mary W. Dove, Secretary of the Federal Election Commission, do hereby

certify that on December 17, 2007, the Commission decided by a vote of 5-0 to

approve the Privacy Act Report to Congress, as recommended in the Chief

Infonnation Officer/Co-ChiefPrivacy Officer's memorandum dated

December 13,2007.

Commissioners Lenhard, Mason, von Spakovsky, Walther and Weintraub

voted affinnatively for the decision.

Attest:

I k ~I ~ 2()U1Date Maryw'. ove

Secret of the Commission

)))


2/11

FEDERAL ELECTION COMMISSIONWASHINGTON, D.C. 20463

December 20, 2007

The Honorable Jim NussleDirectorOffice o f Management and BudgetWashington, DC 20503

Re: Federal Election Commission

Privacy Act Report to Congress

Dear Director Nussle:

Enclosed please find a courtesy copy o f the report the Federal Election Commissionsubmitted to Congress for fiscal year 2007 pursuant to Section 522 o f the ConsolidatedAppropriations Act, 2005.

Respectfully sl!.-bmitt. /

.;,.-


3/11

FEDERAL ELECTION COMMISSIONWASHINGTON, D.C. 20463

December 20,2007

The Honorable Nancy PelosiSpeaker ofthe HouseU.S. House o f RepresentativesH-232, The CapitolWashington, DC 20515

Dear Madam Speaker:

Section 522 of the Consolidated Appropriations Act, 2005,42 U.S.c. 2000ee-2,("section 522") requires Chief Privacy Officers of federal agencies to report to Congress on anannual basis on activities that affect privacy including complaints of privacy violations,implementation of the Privacy Act, and internal controls (administrative, technical, and physicalsafeguards), and other relevant matters. This letter is submitted pursuant to the requirements ofsection 522.

Most importantly, we are pleased to report that in fiscal year 2007 the Federal ElectionCommission ("FEC" or "Commission") had no physical or electronic incidents involving the lossof, or unauthorized access to, personally identifiable information. The Commission received nocomplaints of privacy violations in fiscal year 2007.

The FEC has always taken very seriously the need to protect the privacy o f informationentrusted to it. Our efforts in this regard are substantial given that we are among the smallest offederal agencies with fewer than 400 employees and the fact that our budget does not include anyspecific provisions for privacy compliance. During fiscal year 2007, we pursued severalactivities to improve agency privacy policies and to fully implement the Privacy Act:

The FEC reviewed its system of records and plans to publish new and amended systemso f records notices in 2007 or early 2008;

The FEC reviewed its privacy practices during the course o f preparing its annual Privacy

Management Report and submitted the report to the Office o f Management and Budget("OMB");

Pursuant to OMB Memorandum 07-16, the FEe developed a Plan to Review and ReduceHoldings of Personally Identifiable Information and Eliminate Unnecessary Use of SocialSecurity Numbers. In addition, the FEC published a schedule on its website toperiodically review its holdings of personally identifiable information on a biennial basis


4/11

in connection with the biennial review o f agency systems o f records.http://www.fec.govllaw/privacy act notices.shtml. The review, however, will becomprehensive and will not be limited to personally identifiable infonnation contained inagency systems o f records;

Pursuant to section 522, the FEC issued a Report to the Inspector General o f its use ofinfonnation in an identifiable fonn, along with its privacy and data protection policiesand procedures. The Inspector General contracted with an independent third party to:evaluate the agency's use ofinfo nna tion in an identifiable fonn; evaluate the privacy anddata protection procedures; and recommend strategies and specific steps to improveprivacy and data protection. That review is complete and the repor t is available on thewebsite. http://www.fec.gov/fecig/fecig.shtml. The FEC has reviewed the report and isalready making plans to implement audit recommendations and further improve itspnvacy program;

The FEC conducted Annual Security Awareness training for Commission employees that

included discussions o f general privacy principles. The mandatory "Security Awareness2007 Training" included: a power point presentation concerning general securityrequirements; a review o f Commission policy governing electronic records, software, andcomputer usage; the FEC's Mobile Computing Security Policy, issued pursuant to OMBMemorandum 06-16, which requires all mobile computing devices to be encrypted, twofactor authentication, and user reauthentication after a minimum o f 30 minutes ofinactivity; and FEC Guidelines for Protecting Sensitive Infonnation; and

The FEC worked on developing additional privacy training for its employees and jobspecific training on privacy issues to employees directly involved in the administration o fpersonal information or information technology, and employees with significant

information security responsibilities. We anticipate this training will be delivered in thefirst quarter of2008.

More recently, during calendar year 2007, the FEC completed several privacy projects,including:

Pursuant to the Privacy Act and section 522, the FEC updated and finalized its PrivacyProtection Policies and Procedures;

Pursuant to OMB Memorandum 05-08 and section 522, the FEC finalized a Directivedesignating the Co-Chief Privacy Officers and Senior Agency Officials for Privacy and

describing their duties;

Pursuant to OMB Memorandum 07-16, the FEC adopted a Policy and Plan forResponding to Breaches o f Personally Identifiable Information;

Pursuant to the Privacy Act and OMB Memorandum 07-16, the FEC finalized PrivacyRules o f Conduct, which outline the rules o f behavior and identifies the consequencesavailable for failure to comply, including the loss o f authority to access the information

2


5/11

or system. The Privacy Rules of Conduct cover all employees , contractors, licensees,certificate holders, and grantees; and

The Co-ChiefPrivacy Officers circulated an e-mail to all FEC staff and contractorsadvising them of their responsibil ity to safeguard personally identifiable information.

The e-mail included a memorandum issued to all FEC employees pursuant to OMBMemorandum 06-15, reminding them of their responsibility to safeguard personallyidentifiable information, the rules for acquiring and using that information, and thepenalties for violation of those rules

On-going efforts to implement specific provisions of the Privacy Act include:

Administrative, technical, and physical safeguards to insure security and confidentialityof records in accordance with 5 U.S.C. 551a(e)(lO) (discussed below in greater detail);

FEC regulations that: establish notification procedures to respond to an individual's

request for whether a system of records contains a record pertaining to th e individual;define reasonable times, places, and requirements for making the information available tothe individual; set forth the procedures for disclosure to the individual; permit theindividual to request to amend any record or information pertaining to the individual; andestablish fees to be charged for copies of records. See 11 C.F.R. Part 1.

A clause in all contracts with the FEC that incorporates the Privacy Act and requirescontractors to comply with the Act, 5 U.S.c. 552(m).

Legislative and Regulatory Proposals

Section 522 requires that the Chief Privacy Officer evaluate legislative and regulatoryproposals that affect privacy. Three of the Commission's five legislative recommendations infiscal year 2007 would have affected the collection, use, or disclosure of personal information.See http://www.fec.gov/1aw/legislative recommendations 2007.shtml. First, the Commissionrecommended that Congress require mandatory electronic filing of campaign finance reports bythe authorized committees of Senate candidates who have, or expect to have, aggregatecontributions or expenditures in excess of $50,000 in a calendar year. This recommendationwould not result in the collection or use of any additional personal information aboutcontributors to Senate campaigns, but would speed the disclosure of such information.

Second, the Commission recommended that the FEC be added to the list of agencies

authorized to issue "use" immunity orders under Title 18, U. S. Code, wi th the permission oftheAttorney General. This recommendat ion would enable the Commission to obtain testimony inenforcement investigations from such individuals who might otherwise refuse to testify on thebasis of their privilege against self incrimination. The information obtained could includepersonal information about the witnesses or others.

Th e third recommendation would increase certain monetary thresholds that have not beenchanged since the 1970s related to actions by individuals and small groups involved in

3


6/11

campaigns. Three of these proposed changes would increase thresholds that trigger obligationsto report financial activity to the Commission. These recommendations would likely marginallyreduce the number of individuals and small organizations making independent expenditures whomust report to the Commission and the number of small organizations that must register aspolitical committees (which are required to report certain information about contributors whose

contributions aggregate in excess of $200 in a calendar year). Thus, the recommendations wouldreduce the agency's collection and dissemination of personal information.

Two Commission regulatory proposals, if effected, would also affect the collection, use,or disclosure of personal information. Specifically, proposed rules to implement section 204 ofPublic Law 110-81, the "Honest Leadership and Open Govenunent Act of2007" (HLOGA),would require certain political committees to disclose information (such as name and address,employer information, and amount of contributions bundled to the committee) about eachlobbyist and registrant, and each political committee established or controlled by a lobbyist orregistrant, that forwards, or is credited with raising, two or more bundled contributionsaggregated in excess of$15,000 during a specific period of time. See 72 Fed. Reg. 62600

(N"ovember 6,2007). While this proposal would result in the collection and disclosure ofpersonal information about lobbyists and registrants that is not currently collected, the proposedrule would not require the collection or disclosure of any more information than is required byHLOGA.

The Commission also adopted changes to FEC rules in light of the Supreme Courtdecision inFEC v. Wisconsin Right to Life, Inc., (WRTL) 127 S. Ct. 2652 (2007). Seewww.fec.gov/law/law rulemakings.shtml. New 11 C.F.R. 114.15 creates an exemption fromthe corporate and labor organization funding restrictions on electioneering communications in 11C.F.R. 114.2 and includes changes to the electioneering communications reportingrequirements in 11 C.F.R. 104.20. Prior to WRTL, corporations and labor organizations could

not make any electioneering communications using funds in their general treasuries. AfterWRTL, they may make certain electioneering communications described in the new exemptionwith general treasury funds. The new rules require corporations and labor organizations thatmake permissible electioneering communications aggregating in excess of $1 0,000 in a calendaryear to report, among other things, the name and address of each person who made a donationaggregating $1,000 or more to the corporation or labor organization for the purpose of furtheringelectioneering communications. Similar information was already required to be reported aboutdonors to other entities that make electioneering communications. Thus, the new rules wouldincrease the collection and dissemination of personal information about donors only to the extentthe rules result in donations to corporations and labor organizations, which were previouslyprohibited from engaging in this activity. In drafting the regulations, the Commission wascareful to protect the privacy rights ofthose donors who give for more general purposes andlimited the reporting obligations to only information about those persons who make donationsfor the purpose of furthering electioneering communications.

4


7/11

Administrative Safeguards

The Commission's enabling statute, the Federal Election Campaign Act (FECA), asamended, provides important administrative safeguards. Specifically, the FECA prohibits thedisclosure of conciliation information or information about an open complaint or investigationwithout written consent ofthe person whom the complaint or investigation is about. See 2U.S.C. 437g(a)(4)(B)(i) and (l2)(A) . Failure to comply with these FECA prohibitions mayresult in criminal penalties and possible fines. 2 U.S.C. 437g(a)( l2)(B) .

Additional FEC administrative safeguards for personally identifiable information includePrivacy Protection Policies and Procedures, Data Protection Policies and Procedures, andgovernment-wide ethical standards that prohibit the use of non-public informat ion for personalgain. See 5 C.F.R. 2635.703 (2006). OPM regulations prohibit the unauthorized disclosure ofpersonnel records. See 5 C.F.R. 293.108 (1979). Employees are allowed access to personalinformation only to the extent that it is necessary for them to perform their duties and the FECnetwork is configured to allow only the lowest level of access necessary for each employee.

All FEC staff and contractors must keep informat ion relating to their work on the FECnetwork to the extent that the technology available at field locations allows and thus minimizethe amount of information kept on laptop, or local, hard drives. Mindful of the need for securitywhen FEC laptops leave the building, the FEC encrypted the hard drives of all FEC laptops andconfigured them to require two-factor authentication for access.

FEC personnel redact personal information as appropriate from compliance matterrecords before documents in those matters are made public.

Contractors working for the FEC are required to comply with the Privacy Act as allCommission contracts include a clause that incorporates Privacy Act requirements. They arealso required to comply with Commission Information System Security policies when accessingCommiss ion information resources. For instance, if a contractor uses a laptop, the system mustmeet the FEC security requirements. At the end of a contract, the contrac tor must ensure thatany FEC data on the contractor's laptop has been removed. An y device a contractor uses forremote access to the Commission's network must be encrypted, use a two factor authentication,and include a 30 minute time-out function. FEC staff and contractors are advised on the properhandling of agency data and encouraged to save FEC data to their network folders especiallywhen performing work off-site. On the rare occasion when staff and contractors have to saveFEC data on a local hard drive, they are advised to move the data to a network folder in a timelymanner.

Th e FEC has also contracted with an outside organization, EBSI, to perform a series offormal risk assessments of our information systems. The information obtained from these riskassessments, which are ongoing, will be used to develop, modify, and implement any newpolicies, standards, and procedures needed to improve the Commission's protection of sensitiveinformation, including personally identifiable information.

5


8/11

Individuals who access infonnation the FEC publishes about candidate and committeeactivity are reminded that infonnation may not be sold, used for commercial purposes, or used tosolicit any type of contribution or donation.

With respect to its website, the FEC does not collect anything other than statistical data

from browsers who access its website.It

collects personal infonnation from individuals whorequest infonnation or download data, but it does so only with the express pennission of theindividual. The Commission's website privacy policy is prominently displayed and easy toaccess. http://www.fec.gov/privacy.shtml.

Technical Safeguards

The FEC's technical safeguards for personally identifiable infonnation are based on theclassification of that infonnation as sensitive infonnation. The protection of sensitiveinfonnation is the foundation of the Commission's Infonnation System Security Program, acomprehensive entity-wide program designed to ensure the confidentiality, integrity, andavailability of infonnation systems and data and aimed at protecting the overall FEC computingenvironment.

The FEC's technical safeguards include, inter alia, identification and authorization,logical access, and monitoring. Identification and authorization, or access control, are technicalsafeguards that prevent unauthorized people (or unauthorized processes) from entering aninfonnation technology system. All FEC infonnation systems that contain personallyidentifiable infonnation must confonn to the Commission's identification and authorizationpolicies: the 58-3.1 Logical Access Policy, the 58-2.2 Account Management Policy, and theFEC Password Standard.

The 58-3.1 Logical Access Policy safeguards infonnation against unauthorized use,disclosure, modification, damage, and loss through the use of automated mechanisms that restrictlogical access to FEC electronic information to authorized users, and uses automated proceduresto base infonnation access on actual business needs. This policy takes into considerationauthorization, identification, authentication, privacy, and user profiles and identification.

The 58-2.2 Account Management Policy ensures that FEe infonnation system useraccounts are consistently authorized and validated. This policy provides for individualaccountability in automated transactions, consistent adherence to user identification codestandards across FEC applications and platfonns, and the protection of user accounts fromprobing by unauthorized users.

The FEC password standard reduces the likelihood of a successful brute force attack.This standard takes into account the current state of computer system perfonnance, and currentpassword cracking programs' capabilities.

In addition, the FEC employs a number of other policies and standards as technicalsafeguards: the 58-3.3 Auditing and Monitoring Policy (which enables the Commission'stechnical personnel to detect potential threats to electronic infonnation, and record selected

6


9/11

system activities that will be stored with integrity, and reviewed by management on a regularbasis to detect problems); the 58-2.11 Security Review Policy (which provides for the continuousreview of information systems for compliance with approved policies, procedures, andstandards); the 58-3.2 Appli cation and Operating System Securi ty Policy (which covers the use,modification, and configurat ion of computing resource applications and operating systems); the58-4.2 Media Management Policy (which governs the FEC electronic media life-cycle andaddresses interruptions of Commission business processes due to damage, theft, or unauthorizedaccess to computer-related media); and the 58-3.6 Malicious Code Policy (which covers theprevention, detection, and repair of damage resulting from malicious code).

Firewalls control the processes and users who have external access to the FEC network.Intelligent switches protect resources by segregating users from certain segments of the network.Intrusion detection hardware and other network monitoring software alert administrators whenanomalies occur. The Commiss ion has also upgraded its directory services sys tem and has thusenhanced the Commission 's ability to manage its access control capabilities. In addition, theFEC maintains and reviews access logs (paper and electronic) for its data center.

Th e FEC employs a three-layered virus prevention strategy that prevents malicioussoftware from propagating throughout the Commission. This three-layered strategy limits ahacker's ability to plant listening programs on the Commission' s network and/or computersystems to collect and retrieve sensitive information.

SAVVIS Inc. provides the web host ing services for the Commission's Internet presence.It also maintains the operating system for the Commissions' website. SA VVIS Inc. has passedan in-depth audit of information technology safeguards under Statement on Auditing StandardsNo. 70, Service Organizations, an internationally recognized auditing standard developed by theAmerican Institute of Certified Public Accountants. The FEC uses a web server softwarepackage, which has a good reputation as a secure product. The web servers are protected by

hardware firewalls that permit publ ic access only through specified protocols, thus limiting thewebsi te's vulnerability to hackers. FEC and SAVVIS Inc. administrative personnel can onlyaccess the servers via a secure set of standards and an associated network protocol thatestablishes a secure channel between a local and a remote computer by wa y of public-keycryptography. All communicat ion to the servers (including usernames and passwords) is thusencrypted.

The Commission employs a continuous monitoring program that includes periodic testsof the Commission's Local Area Network, specifically tests of vulnerability to externalpenetration, disaster recovery plans, incident response plans, network vulnerability, and accesscontrol procedures.

During 2007, the FE C implemented an Intrusion Detection System (IDS). An intrusiondetection system is used to detec t several types o f malicious behaviors that can compromise thesecurity and trust of a computer system. This includes network attacks against vulnerableservices, data driven attacks on applications, host based attacks such as privilege escalation,unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, andworms).

7


10/11

The Commission also implemented an automated process to ensure that accounts notaccessed in a specified time are automatically disabled.

In addition, the Commission implemented a Microsoft patch policy to secure theworkstations from various attacks identified by Microsoft, and thus, no longer relies on users toupdate their laptops/workstations with Microsoft patches. The FEC automatically pushes andinstalls the patch(es) to users.

The FEC also purchased a network access control system which when implemented willscan network devices and deny access unless the device meets FEC security requirements.Finally, using a Department o f Defense standard, the FEC sanitizes the harddrives of anycomputer system prior to issuing to another employee or sending out for replacement.

Physical Safeguards

The Commission has established physical safeguards that it believes are commensuratewith the risk associated with and the sensitivity o f the infonnation in its possession. Securityguards staff the building entrance, employees are required to show identification before entering;individuals who wish to research Commission public records are restricted to an area of thebuilding that includes only public records; and all other visitors require an employee escort.Privacy screens have been installed on computer screens where there is a substantial likelihoodthat personal infonnation may be viewed by passers-by.

Commission policies require that paper and microfilm records be kept in limited accessareas under the personal surveillance of Commission employees during working hours and inlocked rooms during non-working hours; that CD-ROMs related to audits and investigations bekept in locked file cabinets; and that paper records related to audits and investigations be kept inlocked safes in limited access areas ofthe building. Auditors in the field are instructed to keeptheir audit documents under personal supervision or in locked cases. Employees with access topayroll and travel records are advised to maintain the records in locked file cabinets in cipherlocked rooms. All employees are advised that documents containing sensitive infonnation,including personal infonnation, must be shredded prior to disposal. We plan on working closelywith the FEC's Administrative Officer in 2008 to improve physical security o f sensitiveinformation and ensure the physical security policies are adhered to by employees.

8


11/11

Our administrative, technological, and physical safeguards have proven effective.Nevertheless, the Federal Election Commission is working to improve its protection o f personalinformation by reviewing its privacy policies and procedures, updating its system o f records, andexploring additional training opportunities for its employees. We look forward to providing youwith an update on our progress next year.

Respectfully submitted,

Date: t ~ I i ' O / 0 /~ ~

IAlec PalmerCo-Chief Privacy Officer

Date: /2/zq/a7' 7 .' ?/ Co

/ , . . . . . . - - - . i

/ - : - - - - - - - . . . . , \ _ , . ~ ~ : : : : : ~ : ; ~ _ - - . /. ' - - - , , ~ : : : : : : - - r _ 1 - L :

~ / . ~ ~ ~ ~ ~ ~ ~ ~

9

Federal Election Commission (FEC): Regarding Reports Produced For Congress: 10/12/10 – Attachment...

Documents

Transcript of Federal Election Commission (FEC): Regarding Reports Produced For Congress: 10/12/10 – Attachment...