Enhancing protections for sensitive information in congressional investigations

Congress has unique power to obtain sensitive information from private parties through oversight. That power comes with commensurate responsibility to secure the information. While some measures are in place, Congress could and should do more to strengthen its data protection protocols. 

Today’s Congress — including more than 13,000 employees — stores an unprecedented amount of electronic data. This includes personal identifying information, trade secrets, company business and pricing strategies, manufacturing information, health records, and information regarding national security issues. Inadvertent public disclosure of such data could profoundly impact companies and harm consumers. Some breaches could even influence financial markets and threaten national security. 

The threat is real. Cyber attacks against the government are rampant and too often successful. According to the Chief Administrative Officer of the House of Representatives, between 300-500 million cyber attacks against the House were thwarted each month between July and December of 2018. It is unclear how many additional attacks were successful because Congress generally does not report breaches; whereas, other government agencies have disclosed numerous breaches. In April 2018, then-acting Director of the Consumer Financial Protection Bureau Mick Mulvaney testified that the agency suffered approximately 240 data breaches, in addition to 800 other suspected attacks. In 2015, OPM disclosed the breach of highly sensitive background investigation records for millions of federal employees and contractors.

Congress requires the executive and judicial branches, along with certain private parties, to follow prescribed data security protocols. For example, the Federal Information Security Modernization Act (FISMA) required each federal agency to update its security programs, including its practices for reporting to Congress certain cyber security incidents. Additionally, the E-Government Act of 2002 required the Supreme Court to promulgate rules “to protect privacy and security concerns relating to electronic filing of documents” in federal court. This mandate led to Federal Rule of Civil Procedure 5.2, which covers filings made under seal and protective orders. Congress has not formalized such unified protections and procedures for document productions it receives, leaving private parties vulnerable when they must produce sensitive records. Congress should take the following four steps to protect data disclosed during investigations. 

Congress should collect only the information necessary to an investigation.

Congressional document requests often cover a broad range of materials that are not needed or only marginally relevant. While many committees have long been willing to negotiate the scope of such requests, the practice is not uniform, and some private parties will not know to ask for accommodations. If a company is asked to produce confidential or proprietary business information, committee staff should proactively engage the company and work collaboratively to address relevance and security concerns and exclude from production information not necessary to the investigation. Successful scope negotiations will allow private parties to limit the sensitive material that may be at risk on vulnerable systems, while allowing committee staff to receive relevant information more quickly. 

Congress should establish protocols to allow investigators to use the most secure data sharing arrangements available. 

In certain circumstances, it may be prudent to review sensitive documents through state-of-the-art document storage systems available to private parties. This would help protect sensitive information from attacks targeting congressional networks and would not impede progress in congressional investigations. It is simply the 21^st century equivalent of making documents available for committee staff to review without transferring possession of the material. Congress can always demand the transfer of critical information to its own systems at a later date once specific security concerns are addressed.

Congress should enact ‘need to know’ protocols to limit access to confidential, highly sensitive, and proprietary commercial information.

Effective data protection restricts access to confidential, sensitive, and proprietary information to authorized individuals who need that information. Across all committees, such information should be provided only to committee Members and their core investigative staff. Moreover, appropriate monitoring systems should be in place to detect unauthorized transfers of information. Committees should also consider whether it is appropriate for detailees, interns, or temporary staff to access materials, and should also establish rules for these employees similar to those in place for full-time employees.    

Congress must continue to bolster its training and reporting protocols. 

Some Members are working to improve Congress’ cyber security defenses. A bipartisan bill proposed in May 2019 would require Members of Congress to undergo mandatory cyber security and informational technology training. This positive step could even proceed without legislation.

Executive branch agencies and certain private parties are subject to a variety of federal and state obligations to report data security incidents. Such reporting is generally considered a best practice because understanding threats and vulnerabilities is the first step towards mitigating risk. Sens. Tom Cotton (R-Ariz.) and Ron Wyden (D-Ore.) raised concerns that “Congress has no legal obligation to disclose breaches and other cyber incidents” and congressional leaders were not certain whether “existing cybersecurity measures are sufficient to protect both the integrity [of the Senate] and the sensitive data with which it has been entrusted.”

In the spirit of transparency, Congress should hold itself to the same standards mandated for other parties by reporting some data about its data security incidents, along with appropriate information about remediation steps. 

Data security threats will continue to grow as adversaries become more sophisticated. These four initiatives are particularly important because parties subject to congressional document requests lack an affirmative process for protecting their sensitive information. Their limited option is extreme — they would have to resist production, invite a subpoena, and risk a contempt citation. Congress has recognized the core issues and taken initial steps to address them. These additional measures are imperative to strengthen data security when Congress exercises its investigative power.

Reginald Brown, Alyssa DaCunha, and Blake Roberts are partners in the congressional investigations practice at WilmerHale. They would like to thank Rachel Dober, Sean Hayes and Josh Mogil for their assistance.