FEDERAL ELECTION COMMISSION

WASHINGTON, D.C. 20463

DECEMBER 16, 2009

The Honorable Nancy Pelosi

Office of the Speaker
U.S. House of Representatives
H-232, US Capitol
Washington, DC 20515

Re: Federal Election Commission Privacy Act Report to Congress

Dear Madam Speaker:

Enclosed please find the Federal Election Commission's (FEe) Privacy Act Report
for fiscal year 2009 pursuant to Section 522 of the Consolidated Appropriations Act (2005).

Respectfully submitted,

Enclosure
 FEDERAL ELECTION COMMISSION
WASHINGTON, D.C. 20463

DECEMBER 16, 2009

The Honorable Nancy Pelosi

Office of the Speaker
U.S. House of Representatives
H-232, US Capitol
Washington, DC 20515

Dear Madam Speaker:

Section 522 of the Consolidated Appropriations Act, 2005, 42 U.S.C. § 2000ee-2,

("Section 522") requires Chief Privacy Officers of federal agencies to report to Congress on an
annual basis on activities that affect privacy including complaints of privacy violations,
implementation ofthe Privacy Act, and internal controls (administrative, technical, and physical
safeguards), and other relevant matters. This letter is submitted pursuant to the requirements of
Section 522.

Most importantly, we are pleased to report that in fiscal year 2009 the Federal Election
Commission ("FEC" or "Commission") had no physical or electronic incidents resulting in the
loss of, or unauthorized access to, personally identifiable information contained in its electronic
or physical systems. The Commission did not receive any privacy complaints nor was it a party
to Privacy Act litigation in fiscal year 2009.

The FEC has always taken very seriously the need to protect the privacy of information
entrusted to it. Our efforts in this regard are substantial given that we are among the smallest of
federal agencies with fewer than 400 employees and the fact that our budget does not include any
specific provisions for privacy compliance. During fiscal year 2009, we pursued several
activities to improve agency privacy policies and to implement the Privacy Act fully:

• The Commission completed its first-ever inventory of personally identifiable

information (PIn. This significant undertaking, which took over eight months to
complete, resulted in a documented and complete electronic inventory ofthe
Commission's PIl, as well as an assessment report of the weaknesses and
strengths in the Commission's systems, and recommendations for amending and
upgrading the Commission's privacy and PIl policies. Additionally, the PIl
inventory specifically highlighted documents or electronic media containing
social security numbers (SSNs), so as to give the agency a comprehensive
inventory of the uses ofSSNs throughout the Commission. The results of the PIl
Review Initiative will have a significant impact on the FEC's protection and use
ofPIl and SSNs in the future, and may result in additional policy and procedure
changes. The PH Review Initiative improved employees' awareness ofPII in
 . their individual work units and introduced employees to ways they can protect the
PIT they have access to in the course of their job duties. The Commission's
Privacy Team is continuing its efforts to evaluate the data received from the PIT
Review Initiative and how it can be used to formulate Agency-wide policy and
procedure changes, including reduction or elimination of unnecessary PH
retention and collection;

• The Commission began a biennial review of its systems of records in preparation

for revisions to its January 2,2008 Systems of Records Notice (SORNs)
publication. As part of this review, the FEC Privacy Team: conducted an Agency­
wide presentation to all agency managers explaining the purpose of the systems of
records review, methods for detecting new Privacy Act systems of records, and
how to report changes in current systems of records for the purposes ofthe
review. As a result ofthis inquiry, the Commission was able to identify several
potential new systems of records and/or potential corrections to existing SORNs;

• The Commission implemented a new electronic time and attendance tracking

system called WebT A. As a result, the Agency terminated the use of paper time
and attendance forms (which contained SSNs) and all time and attendance records
for 2009 are free ofSSNs. By converting to an electronic time and attendance
system, the Commission has significantly reduced its risk of PIT breaches and loss
caused by the use of paper forms;

• The Commission instituted an electronic system for submitting travel

authorizations and vouchers, and has emphasized that home addresses and SSNs
are no longer required for Commission travel documentation. By encouraging the
use of the electronic travel authorization system, the Commission has
significantly reduced its risk of PIT breaches and loss caused by the use of paper
travel forms;

• The Commission is currently developing a Privacy page for the FEC intranet
(FECnet) which will include links to the Agency's privacy policies and
procedures, information on contacting the Chief Privacy Officers (through
Privacy@fec.gov), information on filing Privacy complaints, links to the
Agency's system of records notices, and other useful information on protecting
PIT and privacy;

• The FEC reviewed its privacy practices during the course of preparing its annual
Privacy Management Report and timely submitted the report to the Office of
Management and Budget ("OMB"); and

 • ,The FEC conducted m'!lldatory annual security awareness training for.

Commission employees and" contractors that included an overview of general
privacy principles. The 2009 Security Awareness Training was conducted via
Skillport, the Commission's online training program, and included a review of the
Agency's Virtual Private Network (VPN) Policy and Rules of Behavior and
Acceptable Use Standards. In addition, the training included a video which
covered the following: the importance of not allowing tailgating, the importance
of password protections, the importance of saving sensitive information to secure
backed-up network storage areas, the importance of locking unattended
computers, the importance of picking up sensitive printouts immediately, the
importance of being wary of suspicious emails, and the need to keep electronic
media secure and safe from theft or damage.

On-going efforts to implement specific provisions of the Privacy Act include:

• Continuing the implementation of the Agency's SSN Reduction Initiative. The

Agency is evaluating the SSN data received during the PH Review to determine
which documents contain SSNs unnecessarily. After the information gathering
and analysis processes are complete, the Information Systems Security Officer
(ISSO) and the OGC-Administrative Law Division intend to provide
recommendations to the Co-Chief Privacy Officers regarding which documents
containing SSNs may be altered, or eliminated so as to reduce the number of
SSN-containing documents used by the Agency. While the Agency has not
completed this SSN Reduction Initiative, many FEC offices have already begun to
find alternatives to using SSNs. For example, the Office of General Counsel
regularly instructs employees not to place the SSNs on training forms, even ifthe
training form contains a space designated for such information;

• Continuing the implementation of administrative, technical, and physical

safeguards to insure security and confidentiality of records in accordance with 5
U.S.C. § 551 a(e) (1 0) (discussed below in greater detail);

• Continuing to comply with FEC privacy regulations that: establish notification

procedures to respond to an individual's request for whether a system of records
contains a record pertaining to the individual; define reasonable times, places, and
requirements for making the information available to the individual; set forth the
procedures for disclosure to the individual; permit the individual to request to
amend any record or information pertaining to the individual; and establish fees to
be charged for copies of records. See 11 C.F.R. Part 1; and

• Reviewing agency systems of records in preparation for possible amendments or

revisions to current systems of records notices.

3
n Review of Legislati~e and Regulatory Prop~sals

Section 522 requires that the Chief Privacy Officer evaluate legislative and regulatory
proposals that affect privacy.

None of the legislative proposals transmitted by the Commission to Congress in fiscal

year 2009 would have affected the collection or disclosure of personal information. The sole
recommendation relating to campaign finance disclosure, regarding the electronic filing of
reports by the committees of candidates for the Senate, would merely make more efficient the
disclosure of information already collected and disseminated by the Commission pursuant to the
statutory requirements of 2 U.S.c. § 434.

The Commission adopted new regulations in fiscal year 2009 implementing the bundled
contribution disclosure provisions of the Honest Leadership and Open Government Act, Pub. L.
110-81 (121 Stat. 735), § 204. Under these rules, authorized committees of candidates for
Federal office, "leadership PACs," and political party committees must disclose certain
information about, among other entities, each person reasonably known by the reporting
committee to be a registered lobbyist who forwards, or is credited with forwarding, to the
reporting committee two or more "bundled" contributions aggregating within a threshold amount
during a specified period of time. This rule, 11 C.F.R. § 104.22(b), tracks the core disclosure
provisions of the statute. It will increase both the collection and dissemination of personal
information about individuals in the following ways. First, it will lead to the identification of
certain registered lobbyists as "bundlers" of campaign contributions. Second, it will result in the
disclosure of the addresses and employers of these individuals. Third, it will result in disclosure
of the amounts "bundled" by these individuals. All of the new information to be collected and
disseminated is specifically required by statute, 2 U.S.C. § 434(i)(1), to be both collected and
disclosed to the public.

Administrative Safeguards

The Commission's enabling statute, the Federal Election Campaign Act (FECA), as

amended, provides important administrative safeguards. Specifically, the FECA prohibits the

disclosure of conciliation information or information about an open complaint or investigation

without written consent of the person whom the complaint or investigation is about. See 2

U.S.c. § 437g(a)(4)(B)(i) and (12)(A). Failure to comply with these FECA prohibitions may

result in criminal penalties and possible fines. 2 U.S.c. § 437g(a)(l2)(B).

Additional FEC administrative safeguards for personally identifiable information include

Privacy Policies and Procedures, Data Protection Policies and Procedures, and government-wide
ethical standards that prohibit the use of non-public information for personal gain. See 5 C.F.R.
§ 635.703 (2006). OPM regulations prohibit the unauthorized disclosure of personnel records.
See 5 C.F.R. § 293.108 (1979). Employees are allowed access to personal information only to
the extent that it is necessary for them to perform their duties and the FEC network is configured
to allow only the lowest level of access necessary for each employee.

In accordance with FEC policies, all FEC staff and contractors working off-site must

keep information relating to their work on the FEC network to the extent that the technology

 available at field.1ocations allows and th.us minimize the amoun~ of infonnation kept on laptop,
. or local, hard drives. Mindful of the need for security when FEC laptops leave the building; the
FEC encrypted the hard drives of all FEC laptops and configured them to require two-factor
authentication for access.

FEC personnel redact personal infonnation as appropriate from compliance matter

records before documents in those matters are made public. Personal infonnation is also
redacted from records released in response to FOIA requests, to the extent appropriate or in
conjunction with a prescribed statutory or regulatory exemption under 5 U.S.C. § 552, 11 CFR §
4.5, or the FEC's interim disclosure policy, 68 Fed. Reg. 70426 (Dec. 18.2003).

Contractors working for the FEC are required to comply with the Privacy Act through
Commission contracts that incorporate Privacy Act language or addendums. Moreover,
contractors with access to personal infonnation are required to sign nondisclosure agreements
which bind them to FEC privacy policies prior to having access to our systems. They are also
required to comply with Commission Infonnation System Security policies when accessing
Commission infonnation resources. For instance, if a contractor uses a laptop, the system must
meet the FEC security requirements. At the end of a contract, the contractor must ensure that
any FEC data on the contractor's laptop has been removed. Any device a contractor uses for
remote access to the Commission's network must be encrypted, must use a two factor
authentication, and must include a 30 minute time-out function. FEC staff and contractors are
advised on the proper handling of agency data and encouraged to save FEC data to their network
folders especially when perfonning work off-site. On the rare occasion when staff and
contractors have to save FEC data on a local hard drive, they are advised to move the data to a
network folder in a timely manner and use a wiping program to ensure the data has been properly
erased.

Individuals who access infonnation the FEC publishes about candidate and committee

activity are reminded that that infonnation may not be sold, used for commercial purposes, or

used to solicit any type of contribution or donation.

With respect to its website, the FEC does not collect anything other than statistical data

from browsers who access its website. It collects personal infonnation from individuals who

request infonnation or download data, but it does so only with the express pennission of the

individual. The Commission's website privacy policy may be found at

http://www.fec.gov/privacy.shtml.

Technical Safeguards

The FEC's technical safeguards for personally identifiable infonnation are based on the
classification of that infonnation as sensitive infonnation. The protection of sensitive
infonnation is the foundation ofthe Commission's Infonnation System Security Program, a
comprehensive agency-wide program designed to ensure the confidentiality, integrity, and
availability ofinfonnation systems and data and aimed at protecting the overall FEC computing
environment.

... The FEC'? technical safeguards include, inter alia, identification and authorization,
logical access, and monitoring. Identific~tion and authorization: or access control, are technical
safeguards that prevent unauthorized people (or unauthorized processes) from entering an
information technology system. All FEC information systems that contain personally
identifiable information must conform to the Commission's identification and authorization
policies: the 58-3.1 Logical Access Policy, the 58-2.2 Account Management Policy, and the
FEC Password Standard.

The 58-3.1 Logical Access Policy safeguards information against unauthorized use,
disclosure, modification, damage, and loss through the use of automated mechanisms that restrict
logical access to FEC electronic information to authorized users, and uses automated procedures
to base information access on actual business needs. This policy takes into consideration
authorization, identification, authentication, privacy, and user profiles and identification.

The 58-2.2 Account Management Policy ensures that FEC information system user
accounts are consistently authorized and validated. This policy provides for individual
accountability in automated transactions, consistent adherence to user identification code
standards across FEC applications and platforms, and the protection of user accounts from
probing by unauthorized users.

The FEC Password 'standard reduces the likelihood of a successful brute force attack.
This standard takes into account the current state of computer system performance, and current
password cracking programs' capabilities.

In addition, the FEC employs a number of other policies and stan.dards as technical
safeguards: the 58-3.3 Auditing and Monitoring Policy (which enables the Commission's
technical personnel to detect potential threats to electronic information, and record selected
system activities that will be stored with integrity, and reviewed by management on a regular
basis to detect problems); the 58-2.11 Security Review Policy (which provides for the continuous
review of information systems for compliance with approved policies, procedures, and
standards); the 58-3.2 Application and Operating System Security Policy (which covers the use,
modification, and configuration of computing resource applications and operating systems); the
58-4.2 Media Management Policy (which governs the FEC electronic media life-cycle and
addresses interruptions of Commission business processes due to damage, theft, or unauthorized
access to computer-related media); and the 58-3.6 Malicious Code Policy (which covers the
prevention, detection, and repair of damage resulting from malicious code).

Firewalls control the processes and users who have external access to the FEC network.
Intelligent switches protect resources by segregating users from certain segments of the network.
Intrusion detection hardware and other network monitoring software alert administrators when
anomalies occur. The Commission has also upgraded its directory services system and has thus
enhanced the Commission's ability to manage its access control capabilities. In addition, the
FEC maintains and reviews access logs (paper and electronic) for its data center.

The FEC employs a three-layered virus prevention strategy that prevents malicious
software from propagating throughout the Commission. This three-layered strategy limits a

hacker's ability toplant listening devices ~n the Commission's network and/or computer systems
to collect and retrieve sensitive information. ' ' , . .

SAVVIS Inc. provides the web hosting services for the Commission's Internet presence.
It also maintains the operating system for the Commissions' website. SAVVIS has passed an in­
depth audit of information technology safeguards under Statement on Auditing Standards No. 70,
Service Organizations, an internationally recognized auditing standard developed by the
American Institute of Certified Public Accountants. SAVVIS is also contractually bound to the
Privacy Act and FEC privacy policies through GSA Order clauses. The FEC uses a web server
software package, which has a good reputation as a secure product. The web servers are
protected by hardware firewalls that permit public access only through specified protocols, thus
limiting the website's vulnerability to hackers. FEC and SAVVIS administrative personnel can
only access the servers via a secure set of standards and an associated network protocol that
establishe's a secure channel between a local and a remote computer by way of public-key
cryptography. All communication to the servers (including usernames and passwords) is thus
encrypted.

The FEC completed a Certification and Accreditation Program aimed at effectively

capturing risks and vulnerabilities across all major agency systems.! The certification process
focused on the identification and evaluation of system risks, vulnerabilities, and threats, and
whether security safeguards had been put in place to mitigate those risks. Risk assessments and
security control tests are an integral part ofthe certification process. Accreditation is the official
management authorization to (or not to) operate an information system. During the accreditation
process, senior management reviewed all residual risks that remained in the system despite the
application of security safeguards, and made decisions as to whether the system should continue
to operate notwithstanding those risks.

The FEC has instituted a real-time Intrusion Detection System (IDS). An intrusion
detection system is used to detect several types of malicious behaviors that can compromise the
security and trust of a computer system. This includes network attacks against vulnerable
services, data driven attacks on applications, host based attacks such as privilege escalation,
unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and
worms).

The Commission uses an automated process to ensure that accounts not accessed in a
specified time are automatically disabled.

The Commission has also increased the frequency of its external and internal network
scanning for system vulnerabilities to monthly and bi-weekly, respectively. We have contracted
with two separate vendors to perform biannual independent penetration tests in order to evaluate

1 Certification and accreditation programs are required under the Federal Information Security Management Act
(FISMA), from which the FEC is exempt. However, the Commission recognizes the importance of properly
identifying vulnerabilities in its systems and implementing proper security controls and safeguards to protect its
information. Accordingly, it has developed its own certification and accreditation program to fulfill these purposes,
"Major agency system" for the purposes of this report is defmed as any electronic system which directly affects the
mission of the agency (e.g. presidential matching funds system, the LAN network system, disclosure database).

· infrastructure security. In addition, the Commission has contracted with Microsoft to perform a
Security Health Check to evaluate our current processes and conffgurations against published'
Microsoft security guidance. The Security Health Check is a proactive security engagement
designed to assist customers with avoiding compromises on hosts and network environments.

In addition, the Commission uses a Microsoft patch policy to secure its workstations from
various attacks identified by Microsoft, and thus, no longer relies on users to update their
laptops/workstations with Microsoft patches. The FEC automatically pushes and installs the
patch(es) to users. Moreover, the FEC has implemented new authentication technology for its
Microsoft Windows environment, designed to enhance authentication, integrity and
confidentiality services, and the elimination of vulnerabilities found in prior Windows versions.

Employees of the Audit Division, who regularly travel outside of the office to conduct
audits of committees and campaigns, were provided with encrypted USB drives to ensure
protection of both the sensitive data collected by the auditors, and any FEC data contained on the
drives.

The FEC Office of Information Technology (OIT) and Office of Human Resources
(ORR) established a working group to implement more stringent procedures regarding the
termination of network access when employees and contractors are separated from the agency.
As a result of this collaboration, on December 7,2009 the agency went live with the FEC Access
System (FAS), an electronic system that will track staff and contractors from the start oftheir
employment at the Commission to exit, and will allow managers to request and document
changes in network and application access. All new hires, transfers, account modifications, and
terminations will now be processed through this system. The implementation ofFAS will aid the
agency in ensuring that after separation of FEC employment or termination of contracts,
employee and contractor user accounts are disabled and equipment is properly returned to the
FEe.

The Commission has implemented a policy (which uses Department of Defense Standard
5220.25-M) of sanitizing the hard drives of any computer system prior to issuing to another
employee or sending out for replacement.

The Commission, in conjunction with the Office of Personnel Management (OPM), has
completed Phase I of its Official Personnel Folders (OPF) electronic conversion project.
Currently OHR has converted the OPFs to electronically stored folders (eOPFs) and has archived
the paper folders, thus enhancing the security of employees' PII. In addition, all new documents,
such as SF50's, are sent directly to the employee's eOPF, which restricts access to the employee
PII information while also reducing the amount of paper records in the Agency. ORR uses this
system exclusively for all OPF related activities. ORR is currently working on Phase II of the
OPF conversion project which will allow employees to access their own OPF information.
Phase II is scheduled for full implementation before the end of calendar year 2010.

Physical Safeguards

The Commission has established physical safeguards that it believes are commensurate
with the risk associated with and the sensitivity ofthe information in its possession. Security

guards staff the building entrance and employees are required to show identification before
entering. Effective 'January 2009, these guards were armed. Individuals who wish to research'
Commission public records are restricted to an area of the building that includes only public
records, and all other visitors require an employee escort. Privacy screens have been installed on
computer screens where there is a substantial likelihood that personal information may be
viewed by passers-by.

Commission policies require that paper and microfilm records are kept in limited access
areas under the personal surveillance of Commission employees during working hours and in
locked rooms during non-working hours, that CD-ROMs related to audits and investigations be
kept in locked file cabinets, and that paper records related to audits and investigations be kept in
locked safes in limited access areas of the building. Auditors in the field are instructed to keep
their audit documents under personal supervision or in locked cases. Employees with access to
payroll and travel records are advised to maintain the records in locked file cabinets in cipher­
locked rooms. The Office of General Counsel has recently informed all of its employees to
report broken locks, or locks for which there are no keys, so that they may be repaired. Repair
efforts are expected to begin in the near future. All employees are advised that documents
containing sensitive information, including personal information, must be shredded prior to
disposal. To encourage safe disposal of sensitive documents, every floor in the Commission has
been outfitted with confidential and locked shred bins for employee use. We plan on continuing
to work closely with the FEC's Administrative Officer to improve physical security of sensitive
information and ensure the physical security policies are adhered to by employees.

Additionally, in connection with its PH Review, the contractor provided

recommendations for the development of new or revised PH policies and procedures. This
included the creation of a Systems of Records Notices Review Procedure, and a procedure for
updating the PH inventory created during the review. The Agency's Privacy Team is analyzing
the information received during the PH Review Initiative to determine the weaknesses in the
Agency's handling of PH, where those weaknesses are located, how the weaknesses can be
rectified, and what changes to the Agency's PH policies, procedures or training need to be done
(if any) in order to address those weaknesses It is also carefully reviewing the recommendations
presented by the contractor to determine if alterations to its current PH and privacy policies and
procedures, or the creation of additional policies and procedures, are needed.

 Our administrative, technological, and physical safeguards have proven effective.

Nevertheless, the Federal Election Commission is working to improve its protection of personal
information by reviewing its privacy policies and procedures, updating its system of records, and
exploring additional training opportunities for its employees. We look forward to providing you
with an update on our progress next year.

Respectfully submitted,

Date: /1//5/
, , 0 7
Alec Palmer
Co-Chief Privacy Officer

Date: / 2.//S~/()q
'/ I I

10