Bipartisan House Bill Would Elevate Chief Information Security Officer At HHS

King & Spalding

On April 26, 2016, House Representatives Billy Long (R-MO) and Doris Matsui (D-CA) introduced the HHS Data Protection Act, legislation aimed at improving cybersecurity at the Department of Health and Human Services (“HHS”).  If enacted, the bill would create a separate Office of the Chief Information Security Officer (“CISO”), elevating the CISO from its current position within the Office of the Chief Information Officer (“CIO”).

The bill would also officially designate the CISO as the primary authority for information security programs—including cybersecurity measures—within HHS.

The bill stems from an investigation and subsequent report by the House Energy and Commerce Committee, of which Reps. Long and Matsui are members, that found “pervasive and persistent deficiencies across HHS and its operating divisions’ information security programs.”  The committee initiated the investigation shortly after a 2013 security breach at the Food and Drug Administration (an agency within HHS) exposed account details of more than 14,000 people.  The security review conducted by the committee revealed at least five additional data breaches at HHS, many of which resulted from mistakes or unsophisticated means.  The committee released its report nearly two years later in August 2015.

According to the report, the data breaches at HHS resulted in part because the Office of the CIO subordinated security issues to operational concerns.  Accordingly, the report recommended separating HHS’ CISO from the Office of the CIO and creating a separate Office of the CISO which would prioritize informational security above all other responsibilities.  The bill’s current language calls for the appointment of a new CISO and the creation of the separate Office of the CISO by October 1, 2016.  The HHS CISO position has been vacant since former CISO Sara Hall left her post earlier this year.  In addition, the bill would require the HHS Secretary to submit a report to Congress no later than one year after the legislation’s enactment, detailing the CISO’s plan to oversee, coordinate, and implement the department’s information security programs.

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214,

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.