BEFORE THE FEDERAL ELECTION COMMISSION

In the Matter of
)
)
Privacy Act Report to Congress
)

CERTIFICATION

I, Mary W. Dove, Secretary of the Federal Election Commission, do hereby

certify that on December 17, 2007, the Commission decided by a vote of 5-0 to

approve the Privacy Act Report to Congress, as recommended in the Chief

Infonnation Officer/Co-ChiefPrivacy Officer's memorandum dated

December 13,2007.

Commissioners Lenhard, Mason, von Spakovsky, Walther and Weintraub

voted affinnatively for the decision.

Attest:

Ik~I~ 2()U1 Date Maryw'. ove

Secret of the Commission
 FEDERAL ELECTION COMMISSION
WASHINGTON, D.C. 20463

December 20, 2007

The Honorable Jim Nussle

Director
Office of Management and Budget
Washington, DC 20503

Re: Federal Election Commission

Privacy Act Report to Congress

Dear Director Nussle:

Enclosed please find a courtesy copy of the report the Federal Election Commission
submitted to Congress for fiscal year 2007 pursuant to Section 522 of the Consolidated
Appropriations Act, 2005.

Respectfully sl!.-bmitt ./

.;,.-<P"
..--"._'--. ~,,>,

,// .r~~ ".

Alec Palmer
Co-Chief Privacy Officer

Enclosure
 FEDERAL ELECTION COMMISSION
WASHINGTON, D.C. 20463

December 20,2007

The Honorable Nancy Pelosi

Speaker ofthe House
U.S. House of Representatives
H-232, The Capitol
Washington, DC 20515

Dear Madam Speaker:

Section 522 of the Consolidated Appropriations Act, 2005,42 U.S.c. § 2000ee-2,

("section 522") requires Chief Privacy Officers of federal agencies to report to Congress on an
annual basis on activities that affect privacy including complaints of privacy violations,
implementation of the Privacy Act, and internal controls (administrative, technical, and physical
safeguards), and other relevant matters. This letter is submitted pursuant to the requirements of
section 522.

Most importantly, we are pleased to report that in fiscal year 2007 the Federal Election
Commission ("FEC" or "Commission") had no physical or electronic incidents involving the loss
of, or unauthorized access to, personally identifiable information. The Commission received no
complaints of privacy violations in fiscal year 2007.

The FEC has always taken very seriously the need to protect the privacy of information
entrusted to it. Our efforts in this regard are substantial given that we are among the smallest of
federal agencies with fewer than 400 employees and the fact that our budget does not include any
specific provisions for privacy compliance. During fiscal year 2007, we pursued several
activities to improve agency privacy policies and to fully implement the Privacy Act:

• The FEC reviewed its system of records and plans to publish new and amended systems
of records notices in 2007 or early 2008;

• The FEC reviewed its privacy practices during the course of preparing its annual Privacy
Management Report and submitted the report to the Office of Management and Budget
("OMB");

• Pursuant to OMB Memorandum 07-16, the FEe developed a Plan to Review and Reduce
Holdings of Personally Identifiable Information and Eliminate Unnecessary Use of Social
Security Numbers. In addition, the FEC published a schedule on its website to
periodically review its holdings of personally identifiable information on a biennial basis
 in connection with the biennial review of agency systems of records.
http://www.fec.govllaw/privacy act notices.shtml. The review, however, will be
comprehensive and will not be limited to personally identifiable infonnation contained in
agency systems of records;

• Pursuant to section 522, the FEC issued a Report to the Inspector General of its use of
infonnation in an identifiable fonn, along with its privacy and data protection policies
and procedures. The Inspector General contracted with an independent third party to:
evaluate the agency's use ofinfonnation in an identifiable fonn; evaluate the privacy and
data protection procedures; and recommend strategies and specific steps to improve
privacy and data protection. That review is complete and the report is available on the
website. http://www.fec.gov/fecig/fecig.shtml. The FEC has reviewed the report and is
already making plans to implement audit recommendations and further improve its
pnvacy program;

• The FEC conducted Annual Security Awareness training for Commission employees that
included discussions of general privacy principles. The mandatory "Security Awareness
2007 Training" included: a power point presentation concerning general security
requirements; a review of Commission policy governing electronic records, software, and
computer usage; the FEC's Mobile Computing Security Policy, issued pursuant to OMB
Memorandum 06-16, which requires all mobile computing devices to be encrypted, two­
factor authentication, and user reauthentication after a minimum of 30 minutes of
inactivity; and FEC Guidelines for Protecting Sensitive Infonnation; and

• The FEC worked on developing additional privacy training for its employees and job­
specific training on privacy issues to employees directly involved in the administration of
personal information or information technology, and employees with significant
information security responsibilities. We anticipate this training will be delivered in the
first quarter of2008.

More recently, during calendar year 2007, the FEC completed several privacy projects,
including:

• Pursuant to the Privacy Act and section 522, the FEC updated and finalized its Privacy
Protection Policies and Procedures;

• Pursuant to OMB Memorandum 05-08 and section 522, the FEC finalized a Directive
designating the Co-Chief Privacy Officers and Senior Agency Officials for Privacy and
describing their duties;

• Pursuant to OMB Memorandum 07-16, the FEC adopted a Policy and Plan for

Responding to Breaches of Personally Identifiable Information;

• Pursuant to the Privacy Act and OMB Memorandum 07-16, the FEC finalized Privacy
Rules of Conduct, which outline the rules of behavior and identifies the consequences
available for failure to comply, including the loss of authority to access the information

 or system. The Privacy Rules of Conduct cover all employees, contractors, licensees,
certificate holders, and grantees; and

• The Co-Chief Privacy Officers circulated an e-mail to all FEC staff and contractors
advising them of their responsibility to safeguard personally identifiable information.
The e-mail included a memorandum issued to all FEC employees pursuant to OMB
Memorandum 06-15, reminding them of their responsibility to safeguard personally
identifiable information, the rules for acquiring and using that information, and the
penalties for violation of those rules

On-going efforts to implement specific provisions of the Privacy Act include:

• Administrative, technical, and physical safeguards to insure security and confidentiality

of records in accordance with 5 U.S.C. § 551a(e)(lO) (discussed below in greater detail);

• FEC regulations that: establish notification procedures to respond to an individual's

request for whether a system of records contains a record pertaining to the individual;
define reasonable times, places, and requirements for making the information available to
the individual; set forth the procedures for disclosure to the individual; permit the
individual to request to amend any record or information pertaining to the individual; and
establish fees to be charged for copies of records. See 11 C.F.R. Part 1.

• A clause in all contracts with the FEC that incorporates the Privacy Act and requires
contractors to comply with the Act, 5 U.S.c. § 552(m).

Legislative and Regulatory Proposals

Section 522 requires that the Chief Privacy Officer evaluate legislative and regulatory
proposals that affect privacy. Three of the Commission's five legislative recommendations in
fiscal year 2007 would have affected the collection, use, or disclosure of personal information.
See http://www.fec.gov/1aw/legislative recommendations 2007.shtml. First, the Commission
recommended that Congress require mandatory electronic filing of campaign finance reports by
the authorized committees of Senate candidates who have, or expect to have, aggregate
contributions or expenditures in excess of $50,000 in a calendar year. This recommendation
would not result in the collection or use of any additional personal information about
contributors to Senate campaigns, but would speed the disclosure of such information.

Second, the Commission recommended that the FEC be added to the list of agencies
authorized to issue "use" immunity orders under Title 18, U. S. Code, with the permission ofthe
Attorney General. This recommendation would enable the Commission to obtain testimony in
enforcement investigations from such individuals who might otherwise refuse to testify on the
basis of their privilege against self incrimination. The information obtained could include
personal information about the witnesses or others.

The third recommendation would increase certain monetary thresholds that have not been
changed since the 1970s related to actions by individuals and small groups involved in

campaigns. Three of these proposed changes would increase thresholds that trigger obligations
to report financial activity to the Commission. These recommendations would likely marginally
reduce the number of individuals and small organizations making independent expenditures who
must report to the Commission and the number of small organizations that must register as
political committees (which are required to report certain information about contributors whose
contributions aggregate in excess of $200 in a calendar year). Thus, the recommendations would
reduce the agency's collection and dissemination of personal information.

Two Commission regulatory proposals, if effected, would also affect the collection, use,
or disclosure of personal information. Specifically, proposed rules to implement section 204 of
Public Law 110-81, the "Honest Leadership and Open Govenunent Act of2007" (HLOGA),
would require certain political committees to disclose information (such as name and address,
employer information, and amount of contributions bundled to the committee) about each
lobbyist and registrant, and each political committee established or controlled by a lobbyist or
registrant, that forwards, or is credited with raising, two or more bundled contributions
aggregated in excess of$15,000 during a specific period of time. See 72 Fed. Reg. 62600
(N"ovember 6,2007). While this proposal would result in the collection and disclosure of
personal information about lobbyists and registrants that is not currently collected, the proposed
rule would not require the collection or disclosure of any more information than is required by
HLOGA.

The Commission also adopted changes to FEC rules in light of the Supreme Court
decision inFEC v. Wisconsin Right to Life, Inc., (WRTL) 127 S. Ct. 2652 (2007). See
www.fec.gov/law/law rulemakings.shtml. New 11 C.F.R. § 114.15 creates an exemption from
the corporate and labor organization funding restrictions on electioneering communications in 11
C.F.R. § 114.2 and includes changes to the electioneering communications reporting
requirements in 11 C.F.R. § 104.20. Prior to WRTL, corporations and labor organizations could
not make any electioneering communications using funds in their general treasuries. After
WRTL, they may make certain electioneering communications described in the new exemption
with general treasury funds. The new rules require corporations and labor organizations that
make permissible electioneering communications aggregating in excess of $1 0,000 in a calendar
year to report, among other things, the name and address of each person who made a donation
aggregating $1,000 or more to the corporation or labor organization for the purpose of furthering
electioneering communications. Similar information was already required to be reported about
donors to other entities that make electioneering communications. Thus, the new rules would
increase the collection and dissemination of personal information about donors only to the extent
the rules result in donations to corporations and labor organizations, which were previously
prohibited from engaging in this activity. In drafting the regulations, the Commission was
careful to protect the privacy rights ofthose donors who give for more general purposes and
limited the reporting obligations to only information about those persons who make donations
for the purpose of furthering electioneering communications.

Administrative Safeguards

The Commission's enabling statute, the Federal Election Campaign Act (FECA), as
amended, provides important administrative safeguards. Specifically, the FECA prohibits the
disclosure of conciliation information or information about an open complaint or investigation
without written consent ofthe person whom the complaint or investigation is about. See 2
U.S.C. § 437g(a)(4)(B)(i) and (l2)(A). Failure to comply with these FECA prohibitions may
result in criminal penalties and possible fines. 2 U.S.C. § 437g(a)(l2)(B).

Additional FEC administrative safeguards for personally identifiable information include

Privacy Protection Policies and Procedures, Data Protection Policies and Procedures, and
government-wide ethical standards that prohibit the use of non-public information for personal
gain. See 5 C.F.R. § 2635.703 (2006). OPM regulations prohibit the unauthorized disclosure of
personnel records. See 5 C.F.R. § 293.108 (1979). Employees are allowed access to personal
information only to the extent that it is necessary for them to perform their duties and the FEC
network is configured to allow only the lowest level of access necessary for each employee.

All FEC staff and contractors must keep information relating to their work on the FEC
network to the extent that the technology available at field locations allows and thus minimize
the amount of information kept on laptop, or local, hard drives. Mindful of the need for security
when FEC laptops leave the building, the FEC encrypted the hard drives of all FEC laptops and
configured them to require two-factor authentication for access.

FEC personnel redact personal information as appropriate from compliance matter

records before documents in those matters are made public.

Contractors working for the FEC are required to comply with the Privacy Act as all
Commission contracts include a clause that incorporates Privacy Act requirements. They are
also required to comply with Commission Information System Security policies when accessing
Commission information resources. For instance, if a contractor uses a laptop, the system must
meet the FEC security requirements. At the end of a contract, the contractor must ensure that
any FEC data on the contractor's laptop has been removed. Any device a contractor uses for
remote access to the Commission's network must be encrypted, use a two factor authentication,
and include a 30 minute time-out function. FEC staff and contractors are advised on the proper
handling of agency data and encouraged to save FEC data to their network folders especially
when performing work off-site. On the rare occasion when staff and contractors have to save
FEC data on a local hard drive, they are advised to move the data to a network folder in a timely
manner.

The FEC has also contracted with an outside organization, EBSI, to perform a series of
formal risk assessments of our information systems. The information obtained from these risk
assessments, which are ongoing, will be used to develop, modify, and implement any new
policies, standards, and procedures needed to improve the Commission's protection of sensitive
information, including personally identifiable information.

 Individuals who access infonnation the FEC publishes about candidate and committee
activity are reminded that infonnation may not be sold, used for commercial purposes, or used to
solicit any type of contribution or donation.

With respect to its website, the FEC does not collect anything other than statistical data
from browsers who access its website. It collects personal infonnation from individuals who
request infonnation or download data, but it does so only with the express pennission of the
individual. The Commission's website privacy policy is prominently displayed and easy to
access. http://www.fec.gov/privacy.shtml.

Technical Safeguards

The FEC's technical safeguards for personally identifiable infonnation are based on the
classification of that infonnation as sensitive infonnation. The protection of sensitive
infonnation is the foundation of the Commission's Infonnation System Security Program, a
comprehensive entity-wide program designed to ensure the confidentiality, integrity, and
availability of infonnation systems and data and aimed at protecting the overall FEC computing
environment.

The FEC's technical safeguards include, inter alia, identification and authorization,
logical access, and monitoring. Identification and authorization, or access control, are technical
safeguards that prevent unauthorized people (or unauthorized processes) from entering an
infonnation technology system. All FEC infonnation systems that contain personally
identifiable infonnation must confonn to the Commission's identification and authorization
policies: the 58-3.1 Logical Access Policy, the 58-2.2 Account Management Policy, and the
FEC Password Standard.

The 58-3.1 Logical Access Policy safeguards infonnation against unauthorized use,
disclosure, modification, damage, and loss through the use of automated mechanisms that restrict
logical access to FEC electronic information to authorized users, and uses automated procedures
to base infonnation access on actual business needs. This policy takes into consideration
authorization, identification, authentication, privacy, and user profiles and identification.

The 58-2.2 Account Management Policy ensures that FEe infonnation system user
accounts are consistently authorized and validated. This policy provides for individual
accountability in automated transactions, consistent adherence to user identification code
standards across FEC applications and platfonns, and the protection of user accounts from
probing by unauthorized users.

The FEC password standard reduces the likelihood of a successful brute force attack.
This standard takes into account the current state of computer system perfonnance, and current
password cracking programs' capabilities.

In addition, the FEC employs a number of other policies and standards as technical
safeguards: the 58-3.3 Auditing and Monitoring Policy (which enables the Commission's
technical personnel to detect potential threats to electronic infonnation, and record selected

system activities that will be stored with integrity, and reviewed by management on a regular
basis to detect problems); the 58-2.11 Security Review Policy (which provides for the continuous
review of information systems for compliance with approved policies, procedures, and
standards); the 58-3.2 Application and Operating System Security Policy (which covers the use,
modification, and configuration of computing resource applications and operating systems); the
58-4.2 Media Management Policy (which governs the FEC electronic media life-cycle and
addresses interruptions of Commission business processes due to damage, theft, or unauthorized
access to computer-related media); and the 58-3.6 Malicious Code Policy (which covers the
prevention, detection, and repair of damage resulting from malicious code).

Firewalls control the processes and users who have external access to the FEC network.
Intelligent switches protect resources by segregating users from certain segments of the network.
Intrusion detection hardware and other network monitoring software alert administrators when
anomalies occur. The Commission has also upgraded its directory services system and has thus
enhanced the Commission's ability to manage its access control capabilities. In addition, the
FEC maintains and reviews access logs (paper and electronic) for its data center.

The FEC employs a three-layered virus prevention strategy that prevents malicious
software from propagating throughout the Commission. This three-layered strategy limits a
hacker's ability to plant listening programs on the Commission's network and/or computer
systems to collect and retrieve sensitive information.

SAVVIS Inc. provides the web hosting services for the Commission's Internet presence.
It also maintains the operating system for the Commissions' website. SAVVIS Inc. has passed
an in-depth audit of information technology safeguards under Statement on Auditing Standards
No. 70, Service Organizations, an internationally recognized auditing standard developed by the
American Institute of Certified Public Accountants. The FEC uses a web server software
package, which has a good reputation as a secure product. The web servers are protected by
hardware firewalls that permit public access only through specified protocols, thus limiting the
website's vulnerability to hackers. FEC and SAVVIS Inc. administrative personnel can only
access the servers via a secure set of standards and an associated network protocol that
establishes a secure channel between a local and a remote computer by way of public-key
cryptography. All communication to the servers (including usernames and passwords) is thus
encrypted.

The Commission employs a continuous monitoring program that includes periodic tests
of the Commission's Local Area Network, specifically tests of vulnerability to external
penetration, disaster recovery plans, incident response plans, network vulnerability, and access
control procedures.

During 2007, the FEC implemented an Intrusion Detection System (IDS). An intrusion
detection system is used to detect several types of malicious behaviors that can compromise the
security and trust of a computer system. This includes network attacks against vulnerable
services, data driven attacks on applications, host based attacks such as privilege escalation,
unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and
worms).

7
 The Commission also implemented an automated process to ensure that accounts not
accessed in a specified time are automatically disabled.

In addition, the Commission implemented a Microsoft patch policy to secure the

workstations from various attacks identified by Microsoft, and thus, no longer relies on users to
update their laptops/workstations with Microsoft patches. The FEC automatically pushes and
installs the patch(es) to users.

The FEC also purchased a network access control system which when implemented will
scan network devices and deny access unless the device meets FEC security requirements.
Finally, using a Department of Defense standard, the FEC sanitizes the harddrives of any
computer system prior to issuing to another employee or sending out for replacement.

Physical Safeguards

The Commission has established physical safeguards that it believes are commensurate
with the risk associated with and the sensitivity of the infonnation in its possession. Security
guards staff the building entrance, employees are required to show identification before entering;
individuals who wish to research Commission public records are restricted to an area of the
building that includes only public records; and all other visitors require an employee escort.
Privacy screens have been installed on computer screens where there is a substantial likelihood
that personal infonnation may be viewed by passers-by.

Commission policies require that paper and microfilm records be kept in limited access
areas under the personal surveillance of Commission employees during working hours and in
locked rooms during non-working hours; that CD-ROMs related to audits and investigations be
kept in locked file cabinets; and that paper records related to audits and investigations be kept in
locked safes in limited access areas ofthe building. Auditors in the field are instructed to keep
their audit documents under personal supervision or in locked cases. Employees with access to
payroll and travel records are advised to maintain the records in locked file cabinets in cipher­
locked rooms. All employees are advised that documents containing sensitive infonnation,
including personal infonnation, must be shredded prior to disposal. We plan on working closely
with the FEC's Administrative Officer in 2008 to improve physical security of sensitive
information and ensure the physical security policies are adhered to by employees.

 Our administrative, technological, and physical safeguards have proven effective.

Nevertheless, the Federal Election Commission is working to improve its protection of personal
information by reviewing its privacy policies and procedures, updating its system of records, and
exploring additional training opportunities for its employees. We look forward to providing you
with an update on our progress next year.

Respectfully submitted,

Date: t~Ii'O
, I
/0/ ~~ Alec Palmer
Co-Chief Privacy Officer
/,......---. i

/-:-------...., \_,.~~:::::~:;~_--./.'---,,~::::::--r_1-L:
Date: /2/zq/a7 ~/.~~~~~~~~~
'7 .'
/
?
Co