From the Hill – Fall 2000

Greater cooperation sought in protecting critical infrastructure

In a further effort to improve the security of the nation’s computer infrastructure, a bill has been introduced in the House that would encourage private-sector participation in government-created information-sharing centers. The Cyber Security Information Act of 2000 (H.R. 4246), introduced by Reps. Tom Davis (R-Va.) and Jim Moran (D-Va.), would exempt certain information about cyber security from being disclosed under the Freedom of Information Act (FOIA), thus allowing private firms to share information with the federal government that they do not wish to make public. Although the business and high-tech communities support the bill, some privacy advocates say it is unnecessary and may weaken FOIA.

The Davis-Moran bill is modeled after the Y2K Information Readiness and Disclosure Act, which was designed to promote government-industry partnerships to address the Year 2000 computer problem. The Y2K law established antitrust, liability, and FOIA exemptions for Y2K-related information, in an attempt to facilitate information sharing by companies who feared that publicly released information could be used against them in lawsuits. Like the Y2K Act, H.R. 4246 contains three similar exemptions, but now it is the FOIA provision, not the liability provision, that has attracted attention.

In recent years, as the country’s critical infrastructure has become more interconnected, it has also grown more vulnerable to cyber attacks. Although the most damaging computer security incidents are widely reported in the press, thousands more occur that do not attract much attention, and there is evidence that their prevalence is increasing. The CERT Coordination Center at Carnegie Mellon University, which was established in 1988 to track and respond to cyber threats and vulnerabilities, received more than 9,800 incident reports in 1999, up from 3,700 the year before.

In January 2000, the Clinton administration unveiled its National Plan for Information Systems Protection, with two broad goals: tightening cyber security in the federal government and promoting public-private cyber security partnerships. The administration proposed creating Information Sharing and Analysis Centers (ISACs) that would allow private-sector companies and the federal government to pool information. An ISAC would be created for six industry sectors, each of which would be assisted by an associated federal agency.

ISACs have already been set up for the finance and telecommunications industries, and the model has been widely praised. However, some businesses have expressed reluctance to participate because of concerns about the possible release of sensitive information through FOIA. The Davis-Moran bill is an attempt to address this concern.

At a June 22 hearing on the bill before the Subcommittee on Government Management, Information, and Technology of the House Government Reform Committee, L. Craig Johnstone of the U.S. Chamber of Commerce echoed these fears of public disclosure and praised the lawmakers’ efforts: “The government can expect the amount of valuable information passed on to agencies about Internet threats and vulnerabilities to be directly proportional to the amount of safety provided by H.R. 4246. No protection, no information, plain and simple.”

However, David L. Sobel, general counsel for the Electronic Privacy Information Center, testified that confidential cyber security information is already exempt from FOIA, under what is known as a (b) 4 exemption. He emphasized the benefits of FOIA and expressed concern that the bill would erect a new barrier to obtaining information that should be disclosed. “This exemption approach is fundamentally inconsistent with the basic premise of the FOIA,” he said.

Johnstone argued, however, that the FOIA exemption is not clear in the law. John Tritak, director of the Critical Infrastructure Assurance Office at the Department of Commerce, supported Johnstone’s view. Tritak said that although the government believes that existing FOIA exemptions are sufficient, the legal community is debating their meaning.

In a critique posted on its Web site, the Center for Democracy and Technology (CDT) argued that several parts of H.R. 4246 are problematic and that a more limited approach that fits within the framework of the (b) 4 exemption should be taken.

H.R. 4246 is one of a number of bills aimed at bolstering cyber security. Sen. Orrin G. Hatch (R-Utah) and Sen. Charles E. Schumer (D-N.Y.) have proposed the Internet Integrity and Critical Infrastructure Protection Act of 2000 bill (S. 2448), which would expand federal prosecution of computer crimes. In February, the House passed the Wireless Privacy Enhancement Act of 1999 (H.R. 514), which is designed to combat eavesdropping on wireless communications. On July 26, the House Science Committee passed the Computer Security Enhancement Act (H.R. 2413), which would strengthen the role of the National Institute of Standards and Technology in ensuring the security of federal computer systems. On July 17, the White House announced that it would propose legislation to update wiretapping laws.

House bill would expand protection of personal health information

The House Banking and Financial Services Committee passed the Medical Financial Privacy Protection Act (H.R. 4585) on June 29, bringing protection of personal health information a step closer to passage. H.R. 4585 would require insurance companies and financial institutions to obtain an individual’s consent before medical records could be shared with third parties or affiliated companies.

On the same day that the bill was approved, however, the House Government Reform Committee passed legislation (H.R. 4049) that some privacy protection advocates believe would stall the advancement of any substantive legislation. H.R. 4049 would create a commission to study a multitude of privacy issues, including medical privacy.

The Medical Financial Privacy Protection Act would amend Title V of the Gramm-Leach-Bliley Act by making it more difficult for insurance and banking institutions to disclose personal health information. Title V of the bill, which overhauled the financial services industry, allowed consumers to opt out of any information-sharing with unaffiliated organizations. But because the law allowed health and life insurers to merge with banks and other financial service institutions, concern grew that one branch of the new conglomerates would share personal medical information with its affiliates.

H.R. 4585 would expand the original opt-out provision to include data shared with affiliated companies. It would permit individuals to sue financial institutions that disclosed personal information without obtaining prior consent. Exemptions would be allowed in some instances, such as for processing worker compensation claims. Consumers would have the right to review and correct information about themselves.

The bill differs from other medical privacy bills in that it applies strictly to medical information gathered by financial institutions, whereas the proposed Department of Health and Human Services regulations issued in November 1999 apply to health plans, health care providers, and health care clearinghouses.

H.R. 4585 has been opposed by organizations such as the American Bankers Association, the American Council of Life Insurance, the American Insurance Association, and the Securities Industry Association. These groups argue that complying with Title V of the Gramm-Leach-Bliley law is already onerous. Insurance companies argue that most financial service companies establish separate subsidiaries for tax or organizational objectives and that regulating the sharing of information among these affiliates amounts to regulating within the business itself. Industry groups urged waiting to see how the original bill is implemented before taking additional steps.

The bill passed by the House Government Reform Committee would establish a Commission for the Comprehensive Study of Privacy Protection. The 17-member commission would be appointed by the White House and Congress to conduct an 18-month study of issues “relating to protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing appropriate uses of information.” The commission would focus on medical, educational, library, and purchase and payment records, as well as the use of other identifiers such as driver’s licenses and credit cards. The study would address “the monitoring, collection, and distribution of personal information by federal and state governments, individuals, or [other] entities,” such as the private sector. The final report to be submitted to the president and Congress would include findings and recommendations regarding the potential threats posed to individuals, the effectiveness of existing statutes and regulations, and the need for additional legislation.

Potential for discrimination debated in wake of genome breakthrough

On June 26, the Human Genome Project announced that approximately 85 percent of the entire human genome had been sequenced, laying out a draft road map for future research into potential therapeutic applications. On July 20, the Senate Health, Education, Labor, and Pensions Committee held a hearing to discuss the project, particularly one of its potentially adverse impacts: discrimination against individuals with potential and perceived disabilities by employers and insurance companies.

Francis Collins, director of the National Human Genome Research Institute at the National Institutes of Health (NIH) and head of the effort that produced the sequencing breakthrough, testified that although genetic research holds great promise, it can “also be used in ways that are fundamentally unjust. . . . Already, with but a handful of genetic tests in common use, people have lost their jobs, lost their heath insurance, and lost their economic well being due to the unfair and inappropriate use of genetic information.”

Both Collins and Senate Democratic Leader Tom Daschle (D-S.D.) provided examples of individuals who had been discriminated against on the basis of genetic disease traits that they carried. “As the use of genetic tests increases,” Daschle said, ” the number of genetic discrimination victims will increase unless we specify–clearly and unambiguously– how genetic information may be used and how it may not be used.”

Not only is potential discrimination at issue, but also the future of genetic research if people opt out of participating in studies because of fears that the information will be misused. “This is not a theoretical concern,” Craig Venter, president of Celera Genomics, a private firm involved in sequencing the genome, said in a letter to Daschle. “Today, people who know they may be at risk for a genetic disease are forgoing diagnostic tests for fear they will lose their job or their health insurance.”

Daschle, in conjunction with Sens. Edward Kennedy (D-Mass.), Christopher Dodd (D-Conn.), and Tom Harkin (D-Iowa), has introduced the Genetic Nondiscrimination in Insurance and Employment Act (S. 1322). The bill would extend to the private sector the same protections that government employees have under Executive Order 13145. The bill would make it illegal for an employer to discriminate against job applicants or fire employees on the basis of genetic information, prohibit disclosure of an employee’s genetic information without prior consent, and allow employees the right to sue for discrimination in court. The bill would also forbid insurance companies to deny coverage on the basis of genetic traits. Rep. Louise Slaughter (D-N.Y.) introduced a bill similar to Daschle’s in the previous House session.

Although all witnesses at the hearing stated that discrimination based on an individual’s genetic makeup is wrong, the appropriate legislative vehicle to protect against such acts is a contested matter. The Americans with Disabilities Act (ADA) may provide some limited coverage. For example, a genetic test or screening is considered a medical examination, and the ADA contains provisions that control the way an employer is allowed to conduct such examinations.

A thornier issue is the definition of disability. The ADA clearly forbids discrimination against a person with a disability. Although a genetic test may reveal whether one is predisposed to developing a disease or is a carrier of a hereditary disease, a positive test does not guarantee that the individual will develop the disease. Hence, does it constitute discrimination under the ADA if an employer makes a hiring or firing decision based on a potential disability? The Equal Employment Opportunity Commission argued in its March 1995 Interpretative Guidance that an employer could be held liable merely by acting upon the perception of impairment. The limit of the ADA’s scope, however, is debatable, because this area of discrimination law is so new and has yet to be argued in court.

Harold P. Coxson, of the law firm of Ogletree, Deakins, Nash, Smoak and Stewart, testified that more thorough analysis of the use of the ADA in protecting against genetic discrimination is needed before additional legislation is approved. He recommended either amending the ADA to address gaps in the current law or pursuing medical record privacy legislation as a solution in lieu of a separate bill. “The origin of any problem related to employment decisions based on genetic information is the dissemination of such confidential information in the first place,” Coxson pointed out.

DOD, NIH slated for big increases in R&D spending

The Department of Defense (DOD) and NIH will both receive big increases in R&D spending in FY 2001. However, as of mid-September, Congress had not decided on funding for other major federal R&D funding agencies.

The DOD appropriations bill, signed into law on August 9, will raise the total defense R&D budget to $41.9 billion, a 6.8 percent increase (and 8.7 percent above President Clinton’s budget request), making 2001 a banner year for defense R&D. The appropriation includes a 13 percent increase in DOD’s support for basic research and an 8 percent increase in its support for applied research.

Meanwhile, just before the August recess, the House and Senate reached a provisional agreement that would raise the NIH budget by $2.7 billion, or 15 percent, to $19.7 billion.

The fate of the other major R&D funding agencies was uncertain as of mid-September. Because Congress was working with discretionary spending ceilings for nondefense programs far below the president’s request, the House would fall short of the administration’s request for nearly all non-NIH, nondefense R&D programs and would cut many programs below the FY 2000 budget. The Senate would provide more generous funding to non-NIH, nondefense R&D programs, but at the cost of siphoning funds from a major appropriations bill it had not yet drafted: the Department of Veterans Affairs and Housing and Urban Development, and Independent Agencies bill, which funds R&D in the National Science Foundation, the National Aeronautics and Space Administration, and the Environmental Protection Agency.

Nonetheless, the outlook for non-NIH, nondefense R&D was not as grim as it appeared. Congressional leaders were likely to face enormous pressure to meet the president’s funding demands, and R&D agencies were likely to receive more funding than Congress had previously approved.

“From the Hill” is prepared by the Center for Science, Technology, and Congress at the American Association for the Advancement of Science (www.aaas.org/spp) in Washington, D.C., and is based on articles from the center’s bulletin Science & Technology in Congress.