FEDERAL ELECTION COMMISSION

WASHINGTON, D.C. 20463

December 22, 2008

The Honorable Nancy Pelosi

Office of the Speaker
U.S. House of Representatives
H-232, US Capitol
Washington, DC 20515

Re: Federal Election Commission Privacy Act Report to Congress

Dear Madam Speaker:

Enclosed please find the Federal Election Commission's (FEC) Privacy Act
Report for fiscal year 2008 pursuant to Section 522 of the Consolidated Appropriations
Act (2005).

Respectfully submitted,

Alec Palmer
Co-Chief Privacy Officer

~i Jlti-c60i""
Lawrence Calvert
Co-Chief Privacy Officer
&.

Enclosure
 FEDERAL ELECTION COMMISSION
WASHINGTON, D.C. 20463

December 22, 2008

The Honorable Nancy Pelosi

Office of the Speaker
U.S. House of Representatives
H-232, US Capitol
Washington, DC 20515

Dear Madam Speaker:

Section 522 of the Consolidated Appropriations Act, 2005, 42 U.S.C. § 2000ee-2,

("Section 522") requires Chief Privacy Officers of federal agencies to report to Congress on an
annual basis on activities that affect privacy including complaints of privacy violations,
implementation of the Privacy Act, and internal controls (administrative, technical, and physical
safeguards), and other relevant matters. This letter is submitted pursuant to the requirements of
Section 522.

Most importantly, we are pleased to report that in fiscal year 2008 the Federal Election
Commission ("FEC" or "Commission") had no physical or electronic incidents involving the loss
of, or unauthorized access to, personally identifiable information contained in its electronic or
physical systems. The Commission received one redress and two operational internal privacy
complaints in fiscal year 2008. It was determined that the redress complaint, while it sought
resolution of a privacy-related matter, was not covered by the Privacy Act. The operational
matters were, or are currently, being handled administratively. The Commission was not a party
to Privacy Act litigation in fiscal year 2008.

On January 2,2008, the Commission published revised Systems of Records Notices,

which deleted two obsolete and duplicative systems, and added four additional systems of
records. Aside from the proposals described in last year's Section 522 Report, no regulatory
proposals made by the Commission in fiscal year 2008 would have affected the collection, use,
or disclosure of personal information. The Commission made no legislative recommendations in
FY 2008, in part because there was no quorum on the Commission during the first six months of
the year.

The FEC has always taken very seriously the need to protect the privacy of information
entrusted to it. Our efforts in this regard are substantial given that we are among the smallest of
federal agencies with fewer than 400 employees and the fact that our budget does not include any
specific provisions for privacy compliance. During fiscal year 2008, we pursued several
activities to improve agency privacy policies and to fully implement the Privacy Act:
• The FEC published new and amended systems of records notices in January 2008;

• The FEC reviewed its privacy practices during the course of preparing its annual
Privacy Management Report and submitted the report to the Office of
Management and Budget ("OMB");

• The FEC began implementation of its Plan to Review and Reduce Holdings of
Personally Identifiable Information (PH) and Eliminate Unnecessary Use of
Social Security Numbers ("SSN Reduction Plan"), developed in response to OMB
Memorandum 07-16. The agency has incorporated SSN data collection into its
ongoing PH Review (discussed in more detail below) to facilitate completion in
fiscal year 2009;

• Pursuant to OMB Circular 130, the FEC conducted a random sample review of
agency contracts with vendors (both interagency and private) who maintain,
operate, store, or have access to personally identifiable information in the FEC
systems of records (i.e. "Section M" contracts);

• Pursuant to 5 U.S.c. § 552(m), the FEC developed nondisclosure agreements and

government contract addendums which contain privacy clauses and/or language
binding all FEC vendors (both open market and GSA schedule contractors) to the
provisions of the Privacy Act and FEC privacy and security policies;

• The FEC contracted with an outside vendor, Solution Technology Systems Inc.
(STSI), to conduct a comprehensive review of its personally identifiable
information (PH) holdings, including PH that is not located in any FEC system of
records. The PH Review, which began in September 2008, is expected to provide
the agency with the following deliverables: a thorough inventory of PH agency­
wide; an analysis of current FEC policies, procedures and safeguards relating to
PH; recommendations for future inventories, systems of records, privacy policies
and procedures; and recommendations for PH disposal and records retention
management. The review is scheduled for completion in Spring 2009;

• The FEC implemented mandatory agency-wide annual privacy and personally

identifiable infonnation (PII) training which discussed FEC privacy policies and
procedures, and informed employees and contractors of their responsibilities for
protecting personal information collected by the agency. Specifically, the 2008
Privacy Training contained the following elements: 1) a powerpoint presentation
discussing general privacy principles; 2) a powerpoint presentation discussing
mandatory procedures for employee/contractor handling of sensitive information
(i.e. PII), and data breach identification and responses; and 3) mandatory
employee reviews of the FEC Privacy Protection Policies and Procedures, FEC
Guide to Protecting Sensitive Information, and FEC Privacy Rules of Conduct.

2
 The agency also created a database for tracking employee privacy training
certifications to ensure training compliance, and is working on creating a similar
database for FEC contractors. Finally, the agency is currently in the process of
updating its annual privacy training module, and is developing an online privacy
training and certification process through Skillport;

• The FEC conducted mandatory annual security awareness training for

Commission employees and contractors that included discussions of general
privacy principles. Specifically, the 2008 Security Awareness Training contained
the following elements: a power point presentation concerning general security
requirements and the treatment of portable media (e.g. flash drives, laptops); a
review of Commission policies governing electronic records, software, and
computer usage; a review of the FEC's Mobile Computing Security Policy (issued
pursuant to OMB Memorandum 06-06) which requires all mobile computing
devices to be encrypted, with two-factor authentication, and user reauthentication
. after a minimum of 30 minutes of inactivity; and a review of the FEC Guidelines
for Protecting Sensitive Information;

• The FEC is currently developing system manager privacy training;

• The FEC is currently conducting a privacy review of its Information Technology

Strategic Plan 2008-2013 to assess potential privacy concerns that may be derived
from future proposed information technology systems; and

• The FEC participated in the Office of Inspector General's independent 2007

Performance Audit of Privacy and Data Protection of the agency. The OIG 2007
performance audit report, and management responses, may be found on the FEC
website at http://www.fec.gov/fecig/fecig.shtml. The FEC developed a corrective
action plan to address many of the concerns raised in the audit, and is in the
process of completing many of the action items listed in the plan.

Additionally, during calendar year 2008, the FEC completed several privacy projects,
including:

• The FEC made an agency-wide presentation to all executive, special and

administrative assistants regarding its SSN Reduction Plan in an effort to
spearhead SSN data collection, and identify areas where SSNs can be eliminated
from use throughout the agency. The agency also had similar communications
with FEC managers regarding the SSN Reduction initiative;

• The FEC incorporated into its FOIA system a numerical classification scheme for
tracking privacy records requests;

• The FEC created a privacy database to catalogue the agency's privacy compliance
efforts;

3
 • The FEC prepared a calendar for tracking privacy reporting and review
requirements through 2011 ;

• The Chief Information Systems Security Officer issued an email to all FEC staff
and contractors reminding them of the proper procedures for securing laptops, and
the importance of completing mandatory security awareness training; and

• The Co-Chief Privacy Officers circulated an e-mail to all FEC staff and
contractors advising them of their responsibility to safeguard personally
identifiable information. The email included a summary and copy of the FEC
Privacy Protection Policies and Procedures, Policy and Plan for Responding to
Breaches of Personally Identifiable Information, and Privacy Rules of Conduct.

On-going efforts to implement specific provisions of the Privacy Act include:

• Continue the implementation of administrative, technical, and physical safeguards

to insure security and confidentiality of records in accordance with 5 U.S.C. §
551a(e)(10) (discussed below in greater detail);

• Continue compliance with FEC privacy regulations that: establish notification

procedures to respond to an individual's request for whether a system of records
contains a record pertaining to the individual; define reasonable times, places, and
requirements for making the information available to the individual; set forth the
procedures for disclosure to the individual; permit the individual to request to
amend any record or information pertaining to the individual; and establish fees to
be charged for copies of records. See 11 C.F.R. Part 1; and

• Review agency systems of records in preparation for possible amendments or

revisions to current systems of records notices.

Legislative and Regulatory Proposals

Section 522 requires that the Chief Privacy Officer evaluate legislative and regulatory
proposals that affect privacy. Other than those regulatory proposals issued at the end of calendar
year 2007 which were described in the fiscal year 2007 Section 522 Report, the Commission has
not made any such proposals that affect the collection, use or disclosure of personal information.
See App. I (FY 2007 Section 522 Report, 3-4). Moreover, the Commission made no legislative
recommendations in FY 2008, in part because there was no quorum in the Commission during
the first six months of the year.

Administrative Safeguards

 The Commission's enabling statute, the Federal Election Campaign Act (FECA), as
amended, provides important administrative safeguards. Specifically, the FECA prohibits the
disclosure of conciliation information or information about an open complaint or investigation
without written consent of the person whom the complaint or investigation is about. See 2
US.C. § 437g(a)(4)(B)(i) and (12)(A). Failure to comply with these FECA prohibitions may
result in criminal penalties and possible fines. 2 US.C. § 437g(a)(12)(B).

Additional FEC administrative safeguards for personally identifiable information include

Privacy Policies and Procedures, Data Protection Policies and Procedures, and government-wide
ethical standards that prohibit the use of non-pUblic information for personal gain. See 5 C.F.R.
§ 635.703 (2006). OPM regulations prohibit the unauthorized disclosure of personnel records.
See 5 C.F.R. § 293.108 (1979). Employees are allowed access to personal information only to
the extent that it is necessary for them to perform their duties and the FEC network is configured
to allow only the lowest level of access necessary for each employee.

In accordance with FEC policies, all FEC staff and contractors must keep information
relating to their work on the FEC network to the extent that the technology available at field
locations allows and thus minimize the amount of inforn1ation kept on laptop, or local, hard
drives. Mindful of the need for security when FEC laptops leave the building, the FEC
encrypted the hard drives of all FEC laptops and configured them to require two-factor
authentication for access.

FEC perso1U1el redact personal infOlmation as appropriate from compliance matter

records before documents in those matters are made public. Personal information is also
redacted from records released in response to FOIA requests, to the extent appropriate or in
conjunction with a prescribed statutory or regulatory exemption under 5 US.C. § 552, 11 CFR §
4.5, or the FEC's interim disclosure policy, 68 Fed. Reg. 70426 (Dec. 18.2003).

Contractors working for the FEC are required to comply with the Privacy Act through
Commission contracts that incorporate Privacy Act language or addendums. Moreover,
contractors with access to personal information are required to sign nondisclosure agreements
which bind them to FEC privacy policies prior to having access to our systems. They are also
required to comply with Commission Information System Security policies when accessing
Commission information resources. For instance, if a contractor uses a laptop, the system must
meet the FEC security requirements. At the end of a contract, the contractor must ensure that
any FEC data on the contractor's laptop has been removed. Any device a contractor uses for
remote access to the Commission's network must be encrypted, must use a two factor
authentication, and must include a 30 minute time-out function. FEC staff and contractors are
advised on the proper handling of agency data and encouraged to save FEC data to their network
folders especially when perforn1ing work off-site. On the rare occasion when staff and
contractors have to save FEC data on a local hard drive, they are advised to move the data to a
network folder in a timely maImer.

Individuals who access information the FEC publishes about candidate and committee
activity are reminded that that infoTI11ation may not be sold, used for commercial purposes, or
used to solicit any type of contribution or donation.

5
 With respect to its website, the FEC does not collect anything other than statistical data
from browsers who access its website. It collects personal information from individuals who
request information or download data, but it does so only with the express permission ofthe
individual. The Commission's website privacy policy may be found at
http://www.fec.gov/privacy.shtml.

Technical Safeguards

The FEC's technical safeguards for personally identifiable information are based on the
classification of that information as sensitive infonnation. The protection of sensitive
information is the foundation of the Commission's Infoffi1ation System Security Program, a
comprehensive agency-wide program designed to ensure the confidentiality, integrity, and
availability of information systems and data and aimed at protecting the overall FEC computing
environment.

The FEC's technical safeguards include, inter alia, identification and authorization,
logical access, and monitoring. Identification and authorization, or access control, are technical
safeguards that prevent unauthorized people (or unauthorized processes) from entering an
information technology system. All FEC information systems that contain personally
identifiable information must conform to the Commission's identification and authorization
policies: the 58-3.1 Logical Access Policy, the 58-2.2 Account Management Policy, and the
FEC Password Standard.

The 58-3.1 Logical Access Policy safeguards information against unauthorized use,
disclosure, modification, damage, and loss through the use of automated mechanisms that restrict
logical access to FEC electronic information to authorized users, and uses automated procedures
to base information access on actual business needs. This policy takes into consideration
authorization, identification, authentication, privacy, and user profiles and identification.

The 58-2.2 Account Management Policy ensures that FEC information system user
accounts are consistently authorized and validated. This policy provides for individual
accountability in automated transactions, consistent adherence to user identification code
standards across FEC applications and platforms, and the protection of user accounts from
probing by unauthorized users.

The FEC Password standard reduces the likelihood of a successful brute force attack.
This standard takes into account the current state of computer system performance, and current
password cracking programs' capabilities.

In addition, the FEC employs a number of other policies and standards as technical
safeguards: the 58-3.3 Auditing and Monitoring Policy (which enables the Commission's
technical personnel to detect potential threats to electronic information, and record selected
system activities that will be stored with integrity, and reviewed by management on a regular
basis to detect problems); the 58-2.11 Security Review Policy (which provides for the continuous
review of information systems for compliance with approved policies, procedures, and

standards); the 58-3.2 Application and Operating System Security Policy (which covers the use,
modification, and configuration of computing resource applications and operating systems); the
58-4.2 Media Management Policy (which governs the FEC electronic media life-cycle and
addresses interruptions of Commission business processes due to damage, theft, or unauthorized
access to computer-related media); and the 58-3.6 Malicious Code Policy (which covers the
prevention, detection, and repair of damage resulting from malicious code).

Firewalls control the processes and users who have external access to the FEC network.
Intelligent switches protect resources by segregating users from certain segments of the network.
Intrusion detection hardware and other network monitoring software alert administrators when
anomalies occur. The Commission has also upgraded its directory services system and has thus
enhanced the Commission's ability to manage its access control capabilities. In addition, the
FEC maintains and reviews access logs (paper and electronic) for its data center.

The FEC employs a three-layered virus prevention strategy that prevents malicious
software from propagating throughout the Commission. This three-layered strategy limits a
hacker's ability to plant listening devices on the Commission's network and/or computer systems
to collect and retrieve sensitive infonnation.

SAVVIS Inc. provides the web hosting services for the Commission's Internet presence.
It also maintains the operating system for the Commissions' website. SAVVIS has passed an in­
depth audit ofinfonnation technology safeguards under Statement on Auditing Standards No. 70
Service Organizations, an internationally recognized auditing standard developed by the
American Institute of Certified Public Accountants. SAVVIS is also contractually bound to the
Privacy Act and FEC privacy policies through GSA Order clauses. The FEC uses a web server
software package, which has a good reputation as a secure product. The web servers are
protected by hardware firewalls that pennit public access only through specified protocols, thus
limiting the website's vulnerability to hackers. FEC and SAVVIS administrative personnel can
only access the servers via a secure set of standards and an associated network protocol that
establishes a secure channel between a local and a remote computer by way of public-key
cryptography. All communication to the servers (including usernames and passwords) is thus
encrypted.

The FEC has implemented a Certification and Accreditation Program which is aimed at
effectively capturing risks and vulnerabilities across all major agency systems.! The certification
process focuses on the identification and evaluation of system risks, vulnerabilities, and threats,
and whether security safeguards have been put in place to mitigate those risks. Risk assessments
and security control tests are an integral part ofthe certification process. Accreditation is the
official management authorization to (or not to) operate an infonnation system. During the
accreditation process, senior management reviews all residual risks that remain in a system

I Certification and accreditation programs are required under the Federal Information Security Management Act

(FISMA), from which the FEC is exempt. However, the Commission recognizes the importance of properly
identifying vulnerabilities in its systems and implementing proper security controls and safeguards to protect its
information. Accordingly, it has developed its own certification and accreditation program to fulfill these purposes.
"Major agency system" for the purposes of this report is defined as any electronic system which directly affects the
mission of the agency (e.g. presidential matching funds system, the LAN network system, disclosure database).

despite the application of security safeguards, and makes a decision as to whether the system
shall continue to operate notwithstanding those risks. The Commission completed the risk
assessment portion of the certification process in fiscal year 2008 and is presently in the process
of completing the security control testing portion.

The FEC has instituted an Intrusion Detection System (IDS). An intrusion detection
system is used to detect several types of malicious behaviors that can compromise the security
and trust of a computer system. This includes network attacks against vulnerable services, data
driven attacks on applications, host based attacks such as privilege escalation, unauthorized
logins and access to sensitive files, and malware (viruses, trojan horses, and worms).

The Commission implemented an automated process to ensure that accounts not accessed
in a specified time are automatically disabled.

In addition, the Commission instituted a Microsoft patch policy to secure its workstations
from various attacks identified by Microsoft, and thus, no longer relies on users to update their
laptops/workstations with Microsoft patches. The FEC automatically pushes and installs the
patch(es) to users. Moreover, the FEC has implemented new authentication technology for its
Microsoft Windows environment, designed to enhance authentication, integrity and
confidentiality services, and the elimination of vulnerabilities found in prior Windows versions.

Employees of the Audit Division, who regularly travel outside of the office to conduct
audits of committees and campaigns, were provided with encrypted USB drives to ensure
protection of both the sensitive data collected by the auditors, and any FEC data contained on the
drives.

The FEC Office ofInfonnation Technology (OIT) and Office of Ruman Resources
(ORR) established a working group to implement more stringent procedures regarding the
termination of network access when employees and contractors are separated from the agency.
As a result of this collaboration, the agency will soon be implementing the FEC Access System
(FAS), an electronic system that will track staff and contractors from the start of their
emplOYment at the Commission to exit, and will allow managers to request and document
changes in network and application access. The implementation of FAS will aid the agency in
ensuring that after separation of FEC employment or termination of contracts, employee and
contractor user accounts are disabled and equipment is properly returned to the FEC. FAS is
currently in the final testing stages and is tentatively scheduled for full implementation before the
end of calendar year 2008.

The FEC implemented a network access control system which scans network devices and
denies access unless the device meets FEC security requirements. Using a Department of
Defense standard, the FEC sanitizes the hard drives of any computer system prior to issuing to
another employee or sending out for replacement.

The Commission purchased in fiscal year 2008 an automated time and attendance
program called WebTA, which provides employee leave request and approval capabilities and
attendance tracking for payroll purposes, and significantly reduces the use of paper leave, time,

and attendance fonns and records. WebTA was officially implemented throughout the agency
on November 10, 2008, and is currently being utilized by all employees.

The Commission, in conjunction with the Office of Personnel Management (OPM), is in

the process of converting all paper Official Personnel Folders (OPFs) located in the Office of
Human Resources into electronically-stored folders. Through this system, employees will be
able to access their own OPFs electronically, thus reducing the risk of lost PlI that can occur
during paper transport. Access to other employees' electronic personnel folders will be strictly
limited to those granted special access (e.g. Human Resources professionals). Upon scanning of
the personnel folders into electronic system, the paper folders will be archived, thus significantly
reducing the number of paper OPFs kept in the Office of Human Resources and allowing for
more effective security of our employees' PlI.

Physical Safeguards

The Commission has established physical safeguards that it believes are commensurate
with the risk associated with and the sensitivity of the infonnation in its possession. Security
guards staff the building entrance and employees are required to show identification before
entering. Effective January 2009, these guards will be anned. Individuals who wish to research
Commission public records are restricted to an area ofthe building that includes only public
records, and all other visitors require an employee escort. Privacy screens have been installed on
computer screens where there is a substantial likelihood that personal infonnation may be
viewed by passers-by.

Commission.policies require that paper and microfilm records are kept in limited access
areas under the personal surveillance of Commission employees during working hours and in
locked rooms during non-working hours, that CD-ROMs related to audits and investigations be
kept in locked file cabinets, and that paper records related to audits and investigations be kept in
locked safes in limited access areas of the building. Auditors in the field are instructed to keep
their audit documents under personal supervision or in locked cases. Employees with access to
payroll and travel records are advised to maintain the records in locked file cabinets in cipher­
locked rooms. All employees are advised that documents containing sensitive infonnation,
including personal information, must be shredded prior to disposal. We plan on working closely
with the FEC's Administrative Officer to improve physical security of sensitive infonnation and
ensure the physical security policies are adhered to by employees.

Additionally, in connection with its PlI Review, the Commission is seeking consultations
from third party contractor STSI for any recommended measures that may strengthen the
agency's administrative, technical, and physical safeguards, and add to its cadre of privacy and
security policies and procedures.

 Our administrative, technological, and physical safeguards have proven effective.

Nevertheless, the Federal Election Commission is working to improve its protection of personal
information by reviewing its privacy policies and procedures, updating its system of records, and
exploring additional training opportunities for its employees. We look forward to providing you
with an update on our progress next year.

Respectfully submitted,

. ~ /

Date: I~~~d~ iZt~~jf(~cJPot/{/~/ft,t

Alec Palmer I · 7
Co-Chief Privacy Officer

Date: --~""rt-~~-'-'--<l..-- f-il'<.'J-~----L..:..¥---I.--C=-----+-.l.-"-l...'''''-'''----=':''-~<....LL-k

. awrence Calvert
Co-Chief Privacy Officer

10

APPENDIX I

 FEDERAL ELECTION COMMISSION

WASHINGTON, D.C. 20463

December 20, 2007

The Honorable Nancy Pelosi

Speaker ofthe House
U.S. House of Representatives
H-232, The Capitol
Washington, DC 20515

Dear Madam Speaker:

Section 522 of the Consolidated Appropriations Act, 2005,42 U.S.C. § 2000ee-2,

("section 522") requires Chief Privacy Officers of federal agencies to report to Congress on an
annual basis on activities that affect privacy including complaints of privacy violations,
implementation of the Privacy Act, and internal controls (administrative, technical, and physical
safeguards), and other relevant matters. This letter is submitted pursuant to the requirements of
section 522.

Most importantly, we are pleased to report that in fiscal year 2007 the Federal Election
Commission ("FEC" or "Commission") had no physical or electronic incidents involving the loss
of, or unauthorized access to, personally identifiable information. The Commission received no
complaints of privacy violations in fiscal year 2007.

The FEC has always taken very seriously the need to protect the privacy of information
entrusted to it. Our efforts in this regard are substantial given that we are among the smallest of
federal agencies with fewer than 400 employees and the fact that our budget does not include any
specific provisions for privacy compliance. During fiscal year 2007, we pursued several
activities to improve agency privacy policies and to fully implement the Privacy Act:

• The FEC reviewed its system of records and plans to publish new and amended systems
of records notices in 2007 or early 2008;

• The FEC reviewed its privacy practices during the course of preparing its annual Privacy
Management Report and submitted the report to the Office of Management and Budget
("OMB");

• Pursuant to OMB Memorandum 07-16, the FEe developed a Plan to Review and Reduce
Holdings of Personally Identifiable Information and Eliminate Unnecessary Use of Social
Security Numbers. In addition, the FEC published a schedule on its website to
periodically review its holdings of personally identifiable information on a biennial basis
 in cOIll1ection with the bieIll1ial review of agency systems of records.
http://www.fec.gov/law/privacy act notices.shtml. The review, however, will be
comprehensive and will not be limited to personally identifiable infonnation contained in
agency systems of records;

• Pursuant to section 522, the FEC issued a Report to the Inspector General of its use of
infonnation in an identifiable fonn, along with its privacy and data protection policies
and procedures. The Inspector General contracted with an independent third party to:
evaluate the agency's use of information in an identifiable fonn; evaluate the privacy and
data protection procedures; and recommend strategies and specific steps to improve
privacy and data protection. That review is complete and the report is available on the
website. http://www.fec.gov/fecig/fecig.shtml. The FEC has reviewed the report and is
already making plans to implement audit recommendations and further improve its
pnvacy program;

• The FEC conducted Annual Security Awareness training for Commission employees that
included discussions of general privacy principles. The mandatory "Security Awareness
2007 Training" included: a power point presentation concerning general security
requirements; a review of Commission policy governing electronic records, software, and
computer usage; the FEC's Mobile Computing Security Policy, issued pursuant to OMB
Memorandum 06-16, which requires all mobile computing devices to be encrypted, two­
factor authentication, and user reauthentication after a minimum of 30 minutes of
inactivity; and FEC Guidelines for Protecting Sensitive Infonnation; and

• The FEC worked on developing additional privacy training for its employees and job­
specific training on privacy issues to employees directly involved in the administration of
personal information or information teclmology, and employees with significant
infonnation security responsibilities. We anticipate this training will be delivered in the
first quarter of2008.

More recently, during calendar year 2007, the FEC completed several privacy projects,
including:

• Pursuant to the Privacy Act and section 522, the FEC updated and finalized its Privacy
Protection Policies and Procedures;

• Pursuant to OMB Memorandum 05-08 and section 522, the FEC finalized a Directive
designating the Co-Chief Privacy Officers and Senior Agency Officials for Privacy and
describing their duties;

• Pursuant to OMB Memorandum 07-16, the FEC adopted a Policy and Plan for

Responding to Breaches of Personally Identifiable Information;

• Pursuant to the Privacy Act and OMB Memorandum 07-16, the FEC finalized Privacy
Rules of Conduct, which outline the rules of behavior and identifies the consequences
available for failure to comply, including the loss of authority to access the information

 or system. The Privacy Rules of Conduct cover all employees, contractors, licensees,
certificate holders, and grantees; and

• The Co-Chief Privacy Officers circulated an e-mail to all FEC staff and contractors
advising them oftheir responsibility to safeguard personally identifiable information.
The e-mail included a memorandum issued to all FEC employees pursuant to OMB
Memorandum 06-15, reminding them of their responsibility to safeguard personally
identifiable information, the rules for acquiring and using that information, and the
penalties for violation of those rules

On-going efforts to implement specific provisions of the Privacy Act include:

• Administrative, technical, and physical safeguards to insure security and confidentiality

of records in accordance with 5 U.S.c. § 551a(e)(lO) (discussed below in greater detail);

• FEC regulations that: establish notification procedures to respond to an individual's

request for whether a system of records contains a record pertaining to the individual;
define reasonable times, places, and requirements for making the information available to
the individual; set forth the procedures for disclosure to the individual; permit the
individual to request to amend any record or infonnation pertaining to the individual; and
establish fees to be charged for copies of records. See 11 C.F.R. Part 1.

• A clause in all contracts with the FEC that incorporates the Privacy Act and requires
contractors to comply with the Act, 5 U.S.c. § 552(m).

Legislative and Regulatory Proposals

Section 522 requires that the Chief Privacy Officer evaluate legislative and regulatory
proposals that affect privacy. Three of the Commission's five legislative recommendations in
fiscal year 2007 would have affected the collection, use, or disclosure of personal information.
See http://www.fec.gov/law/legislative recommendations 2007.shtml. First, the Commission
recommended that Congress require mandatory electronic filing of campaign finance reports by
the authorized committees of Senate candidates who have, or expect to have, aggregate
contributions or expenditures in excess of $50,000 in a calendar year. This recommendation
would not result in the collection or use of any additional personal information about
contributors to Senate campaigns, but would speed the disclosure of such information.

Second, the Commission recommended that the FEC be added to the list of agencies
authorized to issue "use" immunity orders under Title 18, U. S. Code, with the permission Of the
Attorney General. This recommendation would enable the Commission to obtain testimony in
enforcement investigations from such individuals who might otherwise refuse to testify on the
basis of their privilege against self incrimination. The information obtained could include
personal information about the witnesses or others.

The third recommendation would increase certain monetary thresholds that have not been
changed since the 1970s related to actions by individuals and small groups involved in

3
campaigns. Three of these proposed changes would increase thresholds that trigger obligations
to report financial activity to the Commission. These recommendations would likely marginally
reduce the number of individuals and small organizations making independent expenditures who
must report to the Commission and the number of small organizations that must register as
political committees (which are required to report certain information about contributors whose
contributions aggregate in excess of$200 in a calendar year). Thus, the recommendations would
reduce the agency's collection and dissemination of personal information.

Two Commission regulatory proposals, if effected, would also affect the collection, use,
or disclosure of personal information. Specifically, proposed rules to implement section 204 of
Public Law 110-81, the "Honest Leadership and Open Government Act of2007" (HLOGA),
would require certain political committees to disclose infonnation (such as name and address,
employer infonnation, and amount of contributions bundled to the committee) about each
lobbyist and registrant, and each political committee established or controlled by a lobbyist or
registrant, that forwards, or is credited with raising, two or more bundled contributions
aggregated in excess of $15,000 during a specific period of time. See 72 Fed. Reg. 62600
(l\fovember 6, 2007). While this proposal would result in the collection and disclosure of
personal infonnation about lobbyists and registrants that is not currently collected, the proposed
rule would not require the collection or disclosure of any more infonnation than is required by
HLOGA.

The Commission also adopted changes to FEC rules in light of the Supreme Court
decision in FEe v. Wisconsin Right to Life, Inc., (WRTL) 127 S. Ct. 2652 (2007). See
www.fec.gov/law/law rulemakings.shtml. New II C.F.R. § 114.15 creates an exemption from
the corporate and labor organization funding restrictions on electioneering communications in 11
C.F.R. § 114.2 and includes changes to the electioneering communications reporting
requirements in 11 C.P.R. § 104.20. Prior to WRTL, corporations and labor organizations could
not make any electioneering communications using funds in their general treasuries. After
WRTL, they may make certain electioneering communications described in the new exemption
with general treasury funds. The new rules require corporations and labor organizations that
make permissible electioneering communications aggregating in excess of $1 0,000 in a calendar
year to report, among other things, the name and address of each person who made a donation
aggregating $1,000 or more to the corporation or labor organization for the purpose of furthering
electioneering communications. Similar infonnation was already required to be reported about
donors to other entities that make electioneering communications. Thus, the new rules would
increase the collection and dissemination of personal infonnation about donors only to the extent
the rules result in donations to corporations and labor organizations, which were previously
prohibited from engaging in this activity. In drafting the regulations, the Commission was
careful to protect the privacy rights of those donors who give for more general purposes and
limited the reporting obligations to only infonnation about those persons who make donations
for the purpose of furthering electioneering communications.

Administrative Safeguards

The Commission's enabling statute, the Federal Election Campaign Act (FECA), as
amended, provides important administrative safeguards. Specifically, the FECA prohibits the
disclosure of conciliation information or information about an open complaint or investigation
without written consent of the person whom the complaint or investigation is about. See 2
U.S.c. § 437g(a)(4)(B)(i) and (l2)(A). Failure to comply with these FECA prohibitions may
result in criminal penalties and possible fines. 2 U.S.c. § 437g(a)(12)(B).

Additional FEC administrative safeguards for personally identifiable information include

Privacy Protection Policies and Procedures, Data Protection Policies and Procedures, and
government-wide ethical standards that prohibit the use of non-pub lic information for personal
gain. See 5 C.F.R. § 2635.703 (2006). OPM regulations prohibit the unauthorized disclosure of
personnel records. See 5 C.F.R. § 293.108 (1979). Employees are allowed access to personal
information only to the extent that it is necessary for them to perform their duties and the FEC
network is configured to allow only the lowest level of access necessary for each employee.

All FEC staff and contractors must keep information relating to their work on the FEC
network to the extent that the technology available at field locations allows and thus minimize
the amount of information kept on laptop, or local, hard drives. Mindful of the need for security
when FEC laptops leave the building, the FEC encrypted the hard drives of all FEC laptops and
configured them to require two-factor authentication for access.

FEC personnel redact personal information as appropriate from compliance matter

records before documents in those matters are made public.

Contractors working for the FEC are required to comply with the Privacy Act as all
Commission contracts include a clause that incorporates Privacy Act requirements. They are
also required to comply with Commission Information System Security policies when accessing
Commission information resources. For instance, if a contractor uses a laptop, the system must
meet the FEC security requirements. At the end of a contract, the contractor must ensure that
any FEC data on the contractor's laptop has been removed. Any device a contractor uses for
remote access to the Commission's network must be encrypted, use a two factor authentication,
and include a 30 minute time-out function. FEC staff and contractors are advised on the proper
handling of agency data and encouraged to save FEC data to their network folders especially
when performing work off-site. On the rare occasion when staff and contractors have to save
FEC data on a local hard drive, they are advised to move the data to a network folder in a timely
manner.

The FEC has also contracted with an outside organization, EBSI, to perform a series of
formal risk assessments of our information systems. The information obtained from these risk
assessments, which are ongoing, will be used to develop, modify, and implement any new
policies, standards, and procedures needed to improve the Commission's protection of sensitive
information, including personally identifiable information.

 Individuals who access information the FEC publishes about candidate and committee
activity are reminded that information may not be sold, used for commercial purposes, or used to
solicit any type of contribution or donation.

With respect to its website, the FEC does not collect anything other than statistical data

from browsers who access its website. It collects personal information from individuals who

request information or download data, but it does so only with the express permission of the

individual. The Commission's website privacy policy is prominently displayed and easy to

access. http://www.fec.gov/privacy.shtml.

Technical Safeguards

The FEC's teclmical safeguards for personalIy identifiable information are based on the
classification of that information as sensitive information. The protection of sensitive
information is the foundation of the Commission's Information System Security Program, a
comprehensive entity-wide program designed to ensure the confidentiality, integrity, and
availability of information systems and data and aimed at protecting the overall FEC computing
environment.

The FEC's technical safeguards include, inter alia, identification and authorization,
logical access, and monitoring. Identification and authorization, or access control, are technical
safeguards that prevent unauthorized people (or unauthorized processes) from entering an
information technology system. All FEC information systems that contain personalIy
identifiable information must conform to the Commission's identification and authorization
policies: the 58-3.1 Logical Access Policy, the 58-2.2 Account Management Policy, and the
FEC Password Standard.

The 58-3.1 Logical Access Policy safeguards information against unauthorized use,
disclosure, modification, damage, and Joss through the use of automated mechanisms that restrict
logical access to FEC electronic information to authorized users, and uses automated procedures
to base information access on actual business needs. This policy takes into consideration
authorization, identification, authentication, privacy, and user profiles and identification.

The 58-2.2 Account Management Policy ensures that FEe information system user
accounts are consistently authorized and validated. This policy provides for individual
accountability in automated transactions, consistent adherence to user identification code
standards across FEC applications and platforms, and the protection of user accounts from
probing by unauthorized users.

The FEC password standard reduces the likelihood of a successful brute force attack.
This standard takes into account the current state of computer system performance, and current
password cracking programs' capabilities.

In addition, the FEC employs a number of other policies and standards as teclmical
safeguards: the 58-3.3 Auditing and Monitoring Policy (which enables the Commission's
teclmical personnel to detect potential threats to electronic infonnation, and record selected

system activities that will be stored with integrity, and reviewed by management on a regular
basis to detect problems); the 58-2.11 Security Review Policy (which provides for the continuous
review of infonnation systems for compliance with approved policies, procedures, and
standards); the 58-3.2 Application and Operating System Security Policy (which covers the use,
modification, and configuration of computing resource applications and operating systems); the
58-4.2 Media Management Policy (which governs the FEC electronic media life-cycle and
addresses interruptions of Commission business processes due to damage, theft, or unauthorized
access to computer-related media); and the 58-3.6 Malicious Code Policy (which covers the
prevention, detection, and repair of damage resulting from malicious code).

Firewalls control the processes and users who have external access to the FEC network.
Intelligent switches protect resources by segregating users from certain segments of the network.
Intrusion detection hardware and other network monitoring software alert administrators when
anomalies occur. The Commission has also upgraded its directory services system and has thus
enhanced the Commission's ability to manage its access control capabilities. In addition, the
FEC maintains and reviews access logs (paper and electronic) for its data center.

The FEC employs a three-layered virus prevention strategy that prevents malicious
software from propagating throughout the Commission. This three-layered strategy limits a
hacker's ability to plant listening programs on the Commission's network and/or computer
systems to collect and retrieve sensitive infonnation.

SAVVIS Inc. provides the web hosting services for the Commission's Internet presence.
It also maintains the operating system for the Commissions' website. SAVVIS Inc. has passed
an in-depth audit of infonnation technology safeguards under Statement on Auditing Standards
No. 70, Service Organizations, an internationally recognized auditing standard developed by the
American Institute of Certified Public Accountants. The FEC uses a web server software
package, which has a good reputation as a secure product. The web servers are protected by
hardware firewalls that permit public access only through specified protocols, thus limiting the
website's vulnerability to hackers. FEC and SAVVIS Inc. administrative personnel can only
access the servers via a secure set of standards and an associated network protocol that
establishes a secure channel between a local and a remote computer by way of public-key
cryptography. All communication to the servers (including usernames and passwords) is thus
encrypted.

The Commission employs a continuous monitoring program that includes periodic tests
of the Commission's Local Area Network, specifically tests of vulnerability to external
penetration, disaster recovery plans, incident response plans, network vulnerability, and access
control procedures.

During 2007, the FEC implemented an Intrusion Detection System (IDS). An intrusion
detection system is used to detect several types of malicious behaviors that can compromise the
security and trust of a computer system. This includes network attacks against vulnerable
services, data driven attacks on applications, host based attacks such as privilege escalation,
unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and
worms).

7
 The Commission also implemented an automated process to ensure that accounts not

accessed in a specified time are automatically disabled.

In addition, the Commission implemented a Microsoft patch policy to Secure the

workstations from various attacks identified by Microsoft, and thus, no longer relies on users to
update their laptops/workstations with Microsoft patches. The FEC automatically pushes and
installs the patch(es) to users.

The FEC also purchased a network access control system which when implemented will
scan network devices and deny access unless the device meets FEC security requirements.
Finally, using a Department of Defense standard, the FEC sanitizes the harddrives of any
computer system prior to issuing to another employee or sending out for replacement.

Physical Safeguards

The Commission has established physical safeguards that it believes are commensurate
with the risk associated with and the sensitivity of the information in its possession. Security
guards staff the building entrance, employees are required to show identification before entering;
individuals who wish to research Commission public records are restricted to an area of the
building that includes only public records; and all other visitors require an employee escort.
Privacy screens have been installed on computer screens where there is a substantial likelihood
that personal information may be viewed by passers-by.

Commission policies require that paper and microfilm records be kept in limited access
areas under the personal surveillance of Commission employees during working hours and in
locked rooms during non-working hours; that CD-ROMs related to audits and investigations be
kept in locked file cabinets; and that paper records related to audits and investigations be kept in
locked safes in limited access areas of the building. Auditors in the field are instructed to keep
their audit documents under personal supervision or in locked cases. Employees with access to
payroll and travel records are advised to maintain the records in locked file cabinets in cipher­
locked rooms. All employees are advised that documents containing sensitive information,
including personal information, must be shredded prior to disposal. We plan on working closely
with the FEC' s Administrative Officer in 2008 to improve physical security of sensitive
information and ensure the physical security policies are adhered to by employees.

 Our administrative, technological, and physical safeguards have proven effective.

Nevertheless, the Federal Election Corrunission is working to improve its protection of personal
information by reviewing its privacy policies and procedures, updating its system of records, and
exploring additional training opportunities for its employees. We look forward to providing you
with an update on our progress next year.

Respectfully submitted,

Date: t:J...~o
, I
/0/ ~~ Alec Palmer
Co-Chief Privacy Officer
....-,/'---- )
,/ ....

~
//-:--- /~>-~:::.~~:::-_/
Date q/&://01
i
------
/'
La···..~~
.'

Co
./