Commerce Probes White House Notification Policy After Data Breach

May 3, 2015

WASHINGTON, D.C. – U.S. Senate Commerce, Science, and Transportation Committee Chairman John Thune (R-S.D.) has sent a letter to President Barack Obama regarding concerns that the recent data breach on the White House information system may have compromised Americans’ personally-identifiable information. Specifically, the letter seeks information regarding notification policies the White House is committed to following should it find evidence that personally-identifiable information was likely compromised.

"Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent or any, future breach, results in a compromise,” said Thune about his inquiry. “If such information has been lost, the White House still has a responsibility to victims even if it believes the hack was perpetrated by foreign spies and not cyber thieves. I look forward to receiving answers from the White House."

The full letter is included below, and available here.

Dear Mr. President:

I write today to seek your assurance that recent attacks on the White House information system have not compromised the personally identifiable information of our fellow Americans, and to ensure that, if such information has been compromised, the White House will move quickly to notify the affected individuals.

Recent reports indicate that a malicious cyber intrusion on the unclassified computer system of the White House, attributed to Russian hackers, is more extensive than previously known.  Though the hackers do not appear to have accessed any classified information, the unclassified computer system reportedly contains a great deal of sensitive information, such as schedules, policy discussions, and e-mails you sent and received, including exchanges with ambassadors.

This unclassified computer system likely also contains the personally identifiable information of many Americans.  In order to enter the White House complex, whether for an official business meeting, tour, or social function, an individual must submit his or her date of birth, social security number, gender, country of birth, citizenship, and place of residence.  This information is often sent via e-mail, including by congressional offices relaying tour requests.  I am therefore concerned that this recent incident may have exposed the personally identifiable information of many individuals and they may, as yet, be unaware of their vulnerability.

Increasing reports of attacks across Executive Branch departments and agencies raise serious questions as to whether they are adequately prepared to address vulnerabilities and protect sensitive information. Given this recent hack, as well as prior incidents in 2009 and 2011, concerns remain that the White House’s network infrastructure remains vulnerable.  


You have proposed legislation that would require companies to notify consumers when their personally identifiable information has been compromised, a goal I share as chairman of the Senate committee most directly involved with the protection of such data.  You also have identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter.” Under the Federal Information Security Management Act (FISMA), the Director of the Office of Management and Budget (OMB), within the Executive Office of the President, oversees all federal agencies’ information security policies and practices and issues direction on data breach notification and implementation of the National Institute of Standards and Technology’s information security standards.  According to OMB’s most recent government-wide FISMA assessment, Executive Branch departments and agencies continue to face serious security challenges.

To allow the Committee to understand the scope of this reported breach and the steps the White House is taking to address the potential exposure of the personally identifiable information of visitors to the White House, as well as to regain the trust of the American public, please provide responses to the following questions as soon as possible, but by no later than May 15, 2015:

 

1.      Did the recent cyber incident discussed above involve the access or loss of personally identifiable information? 

2.      If yes, has the White House ensured that those affected have been notified in a manner consistent with OMB policy on data breach notification, the Privacy Act, and in keeping with your own recommended direction to business entities under your data breach notification legislative proposal? 


3.      What steps is the White House taking to protect against similar incidents going forward?  


4.      What policies does the White House have in place to ensure that individuals are properly notified when their personal identifiable information has been compromised due to a breach of its information systems? 

 

Thank you for your attention to this matter.

###