TITLE 38 - US CODE - CHAPTER 57 - RECORDS AND INVESTIGATIONS

TITLE 38 - US CODE - SUBCHAPTER I - RECORDS

38 USC 5701 - Confidential nature of claims

(a) All files, records, reports, and other papers and documents pertaining to any claim under any of the laws administered by the Secretary and the names and addresses of present or former members of the Armed Forces, and their dependents, in the possession of the Department shall be confidential and privileged, and no disclosure thereof shall be made except as provided in this section.

(b) The Secretary shall make disclosure of such files, records, reports, and other papers and documents as are described in subsection (a) of this section as follows:

(1) To a claimant or duly authorized agent or representative of a claimant as to matters concerning the claimant alone when, in the judgment of the Secretary, such disclosure would not be injurious to the physical or mental health of the claimant and to an independent medical expert or experts for an advisory opinion pursuant to section 5109 or 7109 of this title.

(2) When required by process of a United States court to be produced in any suit or proceeding therein pending.

(3) When required by any department or other agency of the United States Government.

(4) In all proceedings in the nature of an inquest into the mental competency of a claimant.

(5) In any suit or other judicial proceeding when in the judgment of the Secretary such disclosure is deemed necessary and proper.

(6) In connection with any proceeding for the collection of an amount owed to the United States by virtue of a persons participation in any benefit program administered by the Secretary when in the judgment of the Secretary such disclosure is deemed necessary and proper.

(c)

(1) The amount of any payment made by the Secretary to any person receiving benefits under a program administered by the Secretary shall be made known to any person who applies for such information.

(2) Any appraisal report or certificate of reasonable value submitted to or prepared by the Secretary in connection with any loan guaranteed, insured, or made under chapter 37 of this title shall be made available to any person who applies for such report or certificate.

(3) Subject to the approval of the President, the Secretary may publish at any time and in any manner any or all information of record pertaining to any claim filed with the Secretary if the Secretary determines that the public interest warrants or requires such publication.

(d) The Secretary as a matter of discretion may authorize an inspection of Department records by duly authorized representatives of recognized organizations.

(e) Except as otherwise specifically provided in this section with respect to certain information, the Secretary may release information, statistics, or reports to individuals or organizations when in the Secretarys judgment such release would serve a useful purpose.

(f) The Secretary may, pursuant to regulations the Secretary shall prescribe, release the name or address, or both, of any present or former member of the Armed Forces, or a dependent of a present or former member of the Armed Forces,

(1) to any nonprofit">nonprofit organization if the release is directly connected with the conduct of programs and the utilization of benefits under this title, or

(2) to any criminal or civil law enforcement governmental agency or instrumentality charged under applicable law with the protection of the public health or safety if a qualified representative of such agency or instrumentality has made a written request that such name or address be provided for a purpose authorized by law. Any organization or member thereof or other person who, knowing that the use of any name or address released by the Secretary pursuant to the preceding sentence is limited to the purpose specified in such sentence, willfully uses such name or address for a purpose other than those so specified, shall be guilty of a misdemeanor and be fined not more than $5,000 in the case of a first offense and not more than $20,000 in the case of any subsequent offense.

(g)

(1) Subject to the provisions of this subsection, and under regulations which the Secretary shall prescribe, the Secretary may release the name or address, or both, of any person who is a present or former member of the Armed Forces, or who is a dependent of a present or former member of the Armed Forces, to a consumer reporting agency if the release of such information is necessary for a purpose described in paragraph (2) of this subsection.

(2) A release of information under paragraph (1) of this subsection concerning a person described in such paragraph may be made for the purpose of

(A) locating such a person

(i) who has been administratively determined to be indebted to the United States by virtue of the persons participation in a benefits program administered by the Secretary; or

(ii) if the Secretary has determined under such regulations that

(I) it is necessary to locate such person in order to conduct a study pursuant to section 527 of this title or a study required by any other provision of law, and

(II) all reasonable steps have been taken to assure that the release of such information to such reporting agency will not have an adverse effect on such person; or

(B) obtaining a consumer report in order to assess the ability of a person described in subparagraph (A)(i) of this paragraph to repay the indebtedness of such person to the United States, but the Secretary may release the name or address of such person for the purpose stated in this clause only if the Secretary determines under such regulations that such person has failed to respond appropriately to administrative efforts to collect such indebtedness.

(3) The Secretary may also release to a consumer reporting agency, for the purposes specified in subparagraph (A) or (B) of paragraph (2) of this subsection, such other information as the Secretary determines under such regulations is reasonably necessary to identify a person described in such paragraph, except that the Secretary may not release to a consumer reporting agency any information which indicates any indebtedness on the part of such person to the United States or any information which reflects adversely on such person. Before releasing any information under this paragraph, the Secretary shall, under such regulations, take reasonable steps to provide for the protection of the personal privacy of persons about whom information is proposed to be released under this paragraph.

(4)

(A) If the Secretary determines, under regulations which the Secretary shall prescribe, that a person described in paragraph (1) of this subsection has failed to respond appropriately to reasonable administrative efforts to collect an indebtedness of such person described in paragraph (2)(A)(i) of this subsection, the Secretary may release information concerning the indebtedness, including the name and address of such person, to a consumer reporting agency for the purpose of making such information available for inclusion in consumer reports regarding such person and, if necessary, for the purpose of locating such person, if

(i) the Secretary has

(I) made reasonable efforts to notify such person of such persons right to dispute through prescribed administrative processes the existence or amount of such indebtedness and of such persons right to request a waiver of such indebtedness under section 5302 of this title,

(II) afforded such person a reasonable opportunity to exercise such rights, and

(III) made a determination with respect to any such dispute or request; and

(ii) thirty calendar days have elapsed after the day on which the Secretary has made a determination that reasonable efforts have been made to notify such person

(I) that the Secretary intends to release such information for such purpose or purposes, and

(II) that, upon the request of such person, the Secretary shall inform such person of whether such information has been so released and of the name and address of each consumer reporting agency to which such information was released by the Secretary and of the specific information so released.

(B) After release of any information under subparagraph (A) of this paragraph concerning the indebtedness of any person, the Secretary shall promptly notify

(i) each consumer reporting agency to which such information has been released by the Secretary; and

(ii) each consumer reporting agency described in subsection (i)(3)(B)(i) of this section to which such information has been transmitted by the Secretary through a consumer reporting agency described in subsection (i)(3)(B)(ii)(I) of this section,

of any substantial change in the status or amount of such indebtedness and, upon the request of any such consumer reporting agency for verification of any or all information so released, promptly verify or correct, as appropriate, such information. The Secretary shall also, after the release of such information, inform such person, upon the request of such person, of the name and address of each consumer reporting agency described in clause (i) or (ii) of this subparagraph to which such information was released or transmitted by the Secretary and of the specific information so released or transmitted.

(h)

(1) Under regulations which the Secretary shall prescribe, the Secretary may release the name or address, or both, of any person who is a present or former member of the Armed Forces, or who is a dependent of a present or former member of the Armed Forces (and other information relating to the identity of such person), to any person in a category of persons described in such regulations and specified in such regulations as a category of persons to whom such information may be released, if the release of such information is necessary for a purpose described in paragraph (2) of this subsection.

(2) A release of information under paragraph (1) of this subsection may be made for the purpose of

(A) determining the creditworthiness, credit capacity, income, or financial resources of a person who has

(i) applied for any benefit under chapter 37 of this title, or

(ii) submitted an offer to the Secretary for the purchase of property acquired by the Secretary under section 3720 (a)(5) of this title;

(B) verifying, either before or after the Secretary has approved a persons application for assistance in the form of a loan guaranty or loan insurance under chapter 37 of this title, information submitted by a lender to the Secretary regarding the creditworthiness, credit capacity, income, or financial resources of such person;

(C) offering for sale or other disposition by the Secretary, pursuant to section 3720 of this title, any loan or installment sale contract owned or held by the Secretary; or

(D) providing assistance to any applicant for benefits under chapter 37 of this title or administering such benefits if the Secretary promptly records the fact of such release in appropriate records pertaining to the person concerning whom such release was made.

(i)

(1) No contract entered into for any of the purposes of subsection (g) or (h) of this section, and no action taken pursuant to any such contract or either such subsection, shall result in the application of section 552a of title 5 to any consumer reporting agency or any employee of a consumer reporting agency.

(2) The Secretary shall take reasonable steps to provide for the protection of the personal privacy of persons about whom information is disclosed under subsection (g) or (h) of this section.

(3) For the purposes of this subsection and of subsection (g) of this section

(A) The term consumer report has the meaning provided such term in subsection (d) of section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a (d)).

(B) The term consumer reporting agency means

(i) a consumer reporting agency as such term is defined in subsection (f) of section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a (f)), or

(ii) any person who, for monetary fees, dues, or on a cooperative nonprofit">nonprofit basis, regularly engages in whole or in part in the practice of

(I) obtaining credit or other information on consumers for the purpose of furnishing such information to consumer reporting agencies (as defined in clause (i) of this paragraph), or

(II) serving as a marketing agent under arrangements enabling third parties to obtain such information from such reporting agencies.

(j) Except as provided in subsection (i)(1) of this section, any disclosure made pursuant to this section shall be made in accordance with the provisions of section 552a of title 5.

(k)

(1)

(A) Under regulations that the Secretary shall prescribe, the Secretary may disclose the name and address of any individual described in subparagraph (C) to an entity described in subparagraph (B) in order to facilitate the determination by such entity whether the individual is, or after death will be, a suitable organ, tissue, or eye donor if

(i) the individual is near death (as determined by the Secretary) or is deceased; and

(ii) the disclosure is permitted under regulations promulgated pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note ).

(B) An entity described in this subparagraph is

(i) an organ procurement organization, including eye and tissue banks; or

(ii) an entity that the Secretary has determined

(I) is substantially similar in function, professionalism, and reliability to an organ procurement organization; and

(II) should be treated for purposes of this subsection in the same manner as an organ procurement organization.

(i) a veteran; or

(ii) a dependent of veteran.

(2) In this subsection, the term organ procurement organization has the meaning given the term qualified organ procurement organization in section 371(b) of the Public Health Service Act (42 U.S.C. 273 (b)).

38 USC 5702 - Furnishing of records

(a) Any person desiring a copy of any record, paper, and so forth, in the custody of the Secretary that may be disclosed under section 5701 of this title must submit to the Secretary an application in writing for such copy. The application shall state specifically

(1) the particular record, paper, and so forth, a copy of which is desired and whether certified or uncertified; and

(2) the purpose for which such copy is desired to be used.

(b) The Secretary may establish a schedule of fees for copies and certification of such records.

38 USC 5703 - Certification of records of District of Columbia

When a copy of any public record of the District of Columbia is required by the Secretary to be used in determining the eligibility of any person for benefits under laws administered by the Secretary, the official custodian of such public record shall without charge provide the applicant for such benefits or any person (including any veterans organization) acting on the veterans behalf or the authorized representative of the Secretary with a certified copy of such record.

38 USC 5704 - Transcript of trial records

The Secretary may purchase transcripts of the record, including all evidence, of trial of litigated cases.

38 USC 5705 - Confidentiality of medical quality-assurance records

(a) Records and documents created by the Department as part of a medical quality-assurance program (other than reports submitted pursuant to section 7311 (g)1 of this title) are confidential and privileged and may not be disclosed to any person or entity except as provided in subsection (b) of this section.

(b)

(1) Subject to paragraph (2) of this subsection, a record or document described in subsection (a) of this section shall, upon request, be disclosed as follows:

(A) To a Federal agency or private organization, if such record or document is needed by such agency or organization to perform licensing or accreditation functions related to Department health-care facilities or to perform monitoring, required by statute, of Department health-care facilities.

(B) To a Federal executive agency or provider of health-care services, if such record or document is required by such agency or provider for participation by the Department in a health-care program with such agency or provider.

(C) To a criminal or civil law enforcement governmental agency or instrumentality charged under applicable law with the protection of the public health or safety, if a qualified representative of such agency or instrumentality makes a written request that such record or document be provided for a purpose authorized by law.

(D) To health-care personnel, to the extent necessary to meet a medical emergency affecting the health or safety of any individual.

(2) The name of and other identifying information regarding any individual patient or employee of the Department, or any other individual associated with the Department for purposes of a medical quality-assurance program, contained in a record or document described in subsection (a) of this section shall be deleted from any record or document before any disclosure made under this subsection if disclosure of such name and identifying information would constitute a clearly unwarranted invasion of personal privacy.

(3) No person or entity to whom a record or document has been disclosed under this subsection shall make further disclosure of such record or document except for a purpose provided in this subsection.

(4) Nothing in this section shall be construed as authority to withhold any record or document from a committee of either House of Congress or any joint committee of Congress, if such record or document pertains to any matter within the jurisdiction of such committee or joint committee.

(5) Nothing in this section shall be construed as limiting the use of records and documents described in subsection (a) of this section within the Department (including contractors and consultants of the Department).

(6) Nothing in this section shall be construed as authorizing or requiring withholding from any person or entity the disclosure of statistical information regarding Department health-care programs (including such information as aggregate morbidity and mortality rates associated with specific activities at individual Department health-care facilities) that does not implicitly or explicitly identify individual patients or employees of the Department, or individuals who participated in the conduct of a medical quality-assurance review.

(1) with respect to any activity carried out before October 7, 1980, a Department systematic health-care review activity carried out by or for the Department for the purpose of improving the quality of medical care or improving the utilization of health-care resources in Department health-care facilities; and

(2) with respect to any activity carried out on or after October 7, 1980, a Department systematic health-care review activity designated by the Secretary to be carried out by or for the Department for either such purpose.

(d)

(1) The Secretary shall prescribe regulations to carry out this section. In prescribing such regulations, the Secretary shall specify those activities carried out before October 7, 1980, which the Secretary determines meet the definition of medical quality-assurance program in subsection (c)(1) of this section and those activities which the Secretary has designated under subsection (c)(2) of this section. The Secretary shall, to the extent appropriate, incorporate into such regulations the provisions of the administrative guidelines and procedures governing such programs in existence on October 7, 1980.

(2) An activity may not be considered as having been designated as a medical quality-assurance program for the purposes of subsection (c)(2) of this section unless the designation has been specified in such regulations.

(e) Any person who, knowing that a document or record is a document or record described in subsection (a) of this section, willfully discloses such record or document except as provided for in subsection (b) of this section shall be fined not more than $5,000 in the case of a first offense and not more than $20,000 in the case of a subsequent offense.

[1] See References in Text note below.

TITLE 38 - US CODE - SUBCHAPTER II - INVESTIGATIONS

38 USC 5711 - Authority to issue subpoenas

(a) For the purposes of the laws administered by the Secretary, the Secretary, and those employees to whom the Secretary may delegate such authority, to the extent of the authority so delegated, shall have the power to

(1) issue subpoenas for and compel the attendance of witnesses within a radius of 100 miles from the place of hearing;

(2) require the production of books, papers, documents, and other evidence;

(3) take affidavits and administer oaths and affirmations;

(4) aid claimants in the preparation and presentation of claims; and

(5) make investigations and examine witnesses upon any matter within the jurisdiction of the Department.

(b) Any person required by such subpoena to attend as a witness shall be allowed and paid the same fees and mileage as are paid witnesses in the district courts of the United States.

38 USC 5712 - Validity of affidavits

Any such oath, affirmation, affidavit, or examination, when certified under the hand of any such employee by whom it was administered or taken and authenticated by the seal of the Department, may be offered or used in any court of the United States and without further proof of the identity or authority of such employee shall have like force and effect as if administered or taken before a clerk of such court.

38 USC 5713 - Disobedience to subpoena

In case of disobedience to any such subpoena, the aid of any district court of the United States may be invoked in requiring the attendance and testimony of witnesses and the production of documentary evidence, and such court within the jurisdiction of which the inquiry is carried on may, in case of contumacy or refusal to obey a subpoena issued to any officer, agent, or employee of any corporation or to any other person, issue an order requiring such corporation or other person to appear or to give evidence touching the matter in question; and any failure to obey such order of the court may be punished by such court as a contempt thereof.

TITLE 38 - US CODE - SUBCHAPTER III - INFORMATION SECURITY

38 USC 5721 - Purpose

The purpose of the Information Security Program is to establish a program to provide security for Department information and information systems commensurate to the risk of harm, and to communicate the responsibilities of the Secretary, Under Secretaries, Assistant Secretaries, other key officials, Assistant Secretary for Information and Technology, Associate Deputy Assistant Secretary for Cyber and Information Security, and Inspector General of the Department of Veterans Affairs as outlined in the provisions of subchapter III of chapter 35 of title 44 (also known as the Federal Information Security Management Act of 2002, which was enacted as part of the E-Government Act of 2002 (Public Law 107347)).

38 USC 5722 - Policy

(a) In General.—
The security of Department information and information systems is vital to the success of the mission of the Department. To that end, the Secretary shall establish and maintain a comprehensive Department-wide information security program to provide for the development and maintenance of cost-effective security controls needed to protect Department information, in any media or format, and Department information systems.

(b) Elements.—
The Secretary shall ensure that the Department information security program includes the following elements:

(1) Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the Department.

(2) Policies and procedures that

(A) are based on risk assessments;

(B) cost-effectively reduce security risks to an acceptable level; and

(3) Selection and effective implementation of minimum, mandatory technical, operational, and management security controls, or other compensating countermeasures, to protect the confidentiality, integrity, and availability of each Department system and its information.

(4) Subordinate plans for providing adequate security for networks, facilities, systems, or groups of information systems, as appropriate.

(5) Annual security awareness training for all Department employees, contractors, and all other users of VA sensitive data and Department information systems that identifies the information security risks associated with the activities of such employees, contractors, and users and the responsibilities of such employees, contractors, and users to comply with Department policies and procedures designed to reduce such risks.

(6) Periodic testing and evaluation of the effectiveness of security controls based on risk, including triennial certification testing of all management, operational, and technical controls, and annual testing of a subset of those controls for each Department system.

(7) A process for planning, developing, implementing, evaluating, and documenting remedial actions to address deficiencies in information security policies, procedures, and practices.

(8) Procedures for detecting, immediately reporting, and responding to security incidents, including mitigating risks before substantial damage is done as well as notifying and consulting with the US-Computer Emergency Readiness Team of the Department of Homeland Security, law enforcement agencies, the Inspector General of the Department, and other offices as appropriate.

(9) Plans and procedures to ensure continuity of operations for Department systems.

(c) Compliance With Certain Requirements.—
The Secretary shall comply with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements promulgated by the National Institute of Standards and Technology and the Office of Management and Budget that define Department information system mandates.

38 USC 5723 - Responsibilities

(a) Secretary of Veterans Affairs.—
In accordance with the provisions of subchapter III of chapter 35 of title 44, the Secretary is responsible for the following:

(1) Ensuring that the Department adopts a Department-wide information security program and otherwise complies with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(2) Ensuring that information security protections are commensurate with the risk and magnitude of the potential harm to Department information and information systems resulting from unauthorized access, use, disclosure, disruption, modification, or destruction.

(3) Ensuring that information security management processes are integrated with Department strategic and operational planning processes.

(4) Ensuring that the Under Secretaries, Assistant Secretaries, and other key officials of the Department provide adequate security for the information and information systems under their control.

(5) Ensuring enforcement and compliance with the requirements imposed on the Department under the provisions of subchapter III of chapter 35 of title 44.

(6) Ensuring that the Department has trained program and staff office personnel sufficient to assist in complying with all the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(7) Ensuring that the Assistant Secretary for Information and Technology, in coordination with the Under Secretaries, Assistant Secretaries, and other key officials of the Department report to Congress, the Office of Management and Budget, and other entities as required by law and Executive Branch direction on the effectiveness of the Department information security program, including remedial actions.

(8) Notifying officials other than officials of the Department of data breaches when required under this subchapter.

(9) Ensuring that the Assistant Secretary for Information and Technology has the authority and control necessary to develop, approve, implement, integrate, and oversee the policies, procedures, processes, activities, and systems of the Department relating to subchapter III of chapter 35 of title 44, including the management of all related mission applications, information resources, personnel, and infrastructure.

(10) Submitting to the Committees on Veterans Affairs of the Senate and House of Representatives, the Committee on Government Reform of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate, not later than March 1 each year, a report on the compliance of the Department with subchapter III of chapter 35 of title 44, with the information in such report displayed in the aggregate and separately for each Administration, office, and facility of the Department.

(11) Taking appropriate action to ensure that the budget for any fiscal year, as submitted by the President to Congress under section 1105 of title 31, sets forth separately the amounts required in the budget for such fiscal year for compliance by the Department with Federal law and regulations governing information security, including this subchapter and subchapter III of chapter 35 of title 44.

(12) Providing notice to the Director of the Office of Management and Budget, the Inspector General of the Department, and such other Federal agencies as the Secretary considers appropriate of a presumptive data breach of which notice is provided the Secretary under subsection (b)(16) if, in the opinion of the Assistant Secretary for Information and Technology, the breach involves the information of twenty or more individuals.

(b) Assistant Secretary for Information and Technology.—
The Assistant Secretary for Information and Technology, as the Chief Information Officer of the Department, is responsible for the following:

(1) Establishing, maintaining, and monitoring Department-wide information security policies, procedures, control techniques, training, and inspection requirements as elements of the Department information security program.

(2) Issuing policies and handbooks to provide direction for implementing the elements of the information security program to all Department organizations.

(3) Approving all policies and procedures that are related to information security for those areas of responsibility that are currently under the management and the oversight of other Department organizations.

(4) Ordering and enforcing Department-wide compliance with and execution of any information security policy.

(5) Establishing minimum mandatory technical, operational, and management information security control requirements for each Department system, consistent with risk, the processes identified in standards of the National Institute of Standards and Technology, and the responsibilities of the Assistant Secretary to operate and maintain all Department systems currently creating, processing, collecting, or disseminating data on behalf of Department information owners.

(6) Establishing standards for access to Department information systems by organizations and individual employees, and to deny access as appropriate.

(7) Directing that any incidents of failure to comply with established information security policies be immediately reported to the Assistant Secretary.

(8) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department for appropriate administrative or disciplinary action.

(9) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department along with taking action to correct the failure or violation.

(10) Requiring any key official of the Department who is so notified to report to the Assistant Secretary with respect to an action to be taken in response to any compliance failure or policy violation reported by the Assistant Secretary.

(11) Ensuring that the Chief Information Officers and Information Security Officers of the Department comply with all cyber security directives and mandates, and ensuring that these staff members have all necessary authority and means to direct full compliance with such directives and mandates relating to the acquisition, operation, maintenance, or use of information technology resources from all facility staff.

(12) Establishing the VA National Rules of Behavior for appropriate use and protection of the information which is used to support Department missions and functions.

(13) Establishing and providing supervision over an effective incident reporting system.

(14) Submitting to the Secretary, at least once every quarter, a report on any deficiency in the compliance with subchapter III of chapter 35 of title 44 of the Department or any Administration, office, or facility of the Department.

(15) Reporting immediately to the Secretary on any significant deficiency in the compliance described by paragraph (14).

(16) Providing immediate notice to the Secretary of any presumptive data breach.

(c) Associate Deputy Assistant Secretary for Cyber and Information Security.—
In accordance with the provisions of subchapter III of chapter 35 of title 44, the Associate Deputy Assistant Secretary for Cyber and Information Security, as the Senior Information Security Officer of the Department, is responsible for carrying out the responsibilities of the Assistant Secretary for Information and Technology under the provisions of subchapter III of chapter 35 of title 44, as set forth in subsection (b).

(d) Department Information Owners.—
In accordance with the criteria of the Centralized IT Management System, Department information owners are responsible for the following:

(1) Providing assistance to the Assistant Secretary for Information and Technology regarding the security requirements and appropriate level of security controls for the information system or systems where sensitive personal information is currently created, collected, processed, disseminated, or subject to disposal.

(2) Determining who has access to the system or systems containing sensitive personal information, including types of privileges and access rights.

(3) Ensuring the VA National Rules of Behavior is signed on an annual basis and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions.

(4) Assisting the Assistant Secretary for Information and Technology in the identification and assessment of the common security controls for systems where their information resides.

(5) Providing assistance to Administration and staff office personnel involved in the development of new systems regarding the appropriate level of security controls for their information.

(e) Other Key Officials.—
In accordance with the provisions of subchapter III of chapter 35 of title 44, the Under Secretaries, Assistant Secretaries, and other key officials of the Department are responsible for the following:

(1) Implementing the policies, procedures, practices, and other countermeasures identified in the Department information security program that comprise activities that are under their day-to-day operational control or supervision.

(2) Periodically testing and evaluating information security controls that comprise activities that are under their day-to-day operational control or supervision to ensure effective implementation.

(3) Providing a plan of action and milestones to the Assistant Secretary for Information and Technology on at least a quarterly basis detailing the status of actions being taken to correct any security compliance failure or policy violation.

(4) Complying with the provisions of subchapter III of chapter 35 of title 44 and other related information security laws and requirements in accordance with orders of the Assistant Secretary for Information and Technology to execute the appropriate security controls commensurate to responding to a security bulletin of the Security Operations Center of the Department, with such orders to supersede and take priority over all operational tasks and assignments and be complied with immediately.

(5) Ensuring that

(A) all employees within their organizations take immediate action to comply with orders from the Assistant Secretary for Information and Technology to

(i) mitigate the impact of any potential security vulnerability;

(ii) respond to a security incident; or

(iii) implement the provisions of a bulletin or alert of the Security Operations Center; and

(B) organizational managers have all necessary authority and means to direct full compliance with such orders from the Assistant Secretary.

(6) Ensuring the VA National Rules of Behavior is signed and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions on an annual basis.

(f) Users of Department Information and Information Systems.—
Users of Department information and information systems are responsible for the following:

(1) Complying with all Department information security program policies, procedures, and practices.

(2) Attending security awareness training on at least an annual basis.

(3) Reporting all security incidents immediately to the Information Security Officer of the system or facility and to their immediate supervisor.

(4) Complying with orders from the Assistant Secretary for Information and Technology directing specific activities when a security incident occurs.

(5) Signing an acknowledgment that they have read, understand, and agree to abide by the VA National Rules of Behavior on an annual basis.

(g) Inspector General of Department of Veterans Affairs.—
In accordance with the provisions of subchapter III of chapter 35 of title 44, the Inspector General of the Department is responsible for the following:

(1) Conducting an annual audit of the Department information security program.

(2) Submitting an independent annual report to the Office of Management and Budget on the status of^[1] Department information security program, based on the results of the annual audit.

(3) Conducting investigations of complaints and referrals of violations as considered appropriate by the Inspector General.

[1] So in original. Probably should be followed by “the”.

38 USC 5724 - Provision of credit protection and other services

(a) Independent Risk Analysis.—

(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall ensure that, as soon as possible after the data breach, a non-Department entity or the Office of Inspector General of the Department conducts an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach.

(2) If the Secretary determines, based on the findings of a risk analysis conducted under paragraph (1), that a reasonable risk exists for the potential misuse of sensitive personal information involved in a data breach, the Secretary shall provide credit protection services in accordance with the regulations prescribed by the Secretary under this section.

(b) Regulations.—
Not later than 180 days after the date of the enactment of the Veterans Benefits, Health Care, and Information Technology Act of 2006, the Secretary shall prescribe interim regulations for the provision of the following in accordance with subsection (a)(2):

(1) Notification.

(2) Data mining.

(3) Fraud alerts.

(4) Data breach analysis.

(5) Credit monitoring.

(6) Identity theft insurance.

(7) Credit protection services.

(1) For each data breach with respect to sensitive personal information processed or maintained by the Secretary, the Secretary shall promptly submit to the Committees on Veterans Affairs of the Senate and House of Representatives a report containing the findings of any independent risk analysis conducted under subsection (a)(1), any determination of the Secretary under subsection (a)(2), and a description of any services provided pursuant to subsection (b).

(2) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, or Marine Corps or a civilian officer or employee of the Department of Defense, the Secretary shall submit the report required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans Affairs of the Senate and House of Representatives.

38 USC 5725 - Contracts for data processing or maintenance

(a) Contract Requirements.—
If the Secretary enters into a contract for the performance of any Department function that requires access to sensitive personal information, the Secretary shall require as a condition of the contract that

(1) the contractor shall not, directly or through an affiliate of the contractor, disclose such information to any other person unless the disclosure is lawful and is expressly permitted under the contract;

(2) the contractor, or any subcontractor for a subcontract of the contract, shall promptly notify the Secretary of any data breach that occurs with respect to such information.

(b) Liquidated Damages.—
Each contract subject to the requirements of subsection (a) shall provide for liquidated damages to be paid by the contractor to the Secretary in the event of a data breach with respect to any sensitive personal information processed or maintained by the contractor or any subcontractor under that contract.

(c) Provision of Credit Protection Services.—
Any amount collected by the Secretary under subsection (b) shall be deposited in or credited to the Department account from which the contractor was paid and shall remain available for obligation without fiscal year limitation exclusively for the purpose of providing credit protection services pursuant to section 5724 (b) of this title.

38 USC 5726 - Reports and notice to Congress on data breaches

(a) Quarterly Reports.—

(1) Not later than 30 days after the last day of a fiscal quarter, the Secretary shall submit to the Committees on Veterans Affairs of the Senate and House of Representatives a report on any data breach with respect to sensitive personal information processed or maintained by the Department that occurred during that quarter.

(2) Each report submitted under paragraph (1) shall identify, for each data breach covered by the report

(A) the Administration and facility of the Department responsible for processing or maintaining the sensitive personal information involved in the data breach; and

(B) the status of any remedial or corrective action with respect to the data breach.

(b) Notification of Significant Data Breaches.—

(1) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that the Secretary determines is significant, the Secretary shall provide notice of such breach to the Committees on Veterans Affairs of the Senate and House of Representatives.

(2) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, or Marine Corps or a civilian officer or employee of the Department of Defense that the Secretary determines is significant under paragraph (1), the Secretary shall provide the notice required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans Affairs of the Senate and House of Representatives.

(3) Notice under paragraphs (1) and (2) shall be provided promptly following the discovery of such a data breach and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

38 USC 5727 - Definitions

In this subchapter:

(1) Availability.—
The term availability means ensuring timely and reliable access to and use of information.

(2) Confidentiality.—
The term confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

(3) Control techniques.—
The term control techniques means methods for guiding and controlling the operations of information systems to ensure adherence to the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(4) Data breach.—
The term data breach means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.

(5) Data breach analysis.—
The term data breach analysis means the process used to determine if a data breach has resulted in the misuse of sensitive personal information.

(6) Fraud resolution systems.—
The term fraud resolution services means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.

(7) Identity theft.—
The term identity theft has the meaning given such term under section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a).

(8) Identity theft insurance.—
The term identity theft insurance means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.

(9) Information owner.—
The term information owner means an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.

(10) Information resources.—
The term information resources means information in any medium or form and its related resources, such as personnel, equipment, funds, and information technology.

(11) Information security.—
The term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

(12) Information security requirements.—
The term information security requirements means information security requirements promulgated in accordance with law, or directed by the Secretary of Commerce, the National Institute of Standards and Technology, and the Office of Management and Budget, and, as to national security systems, the President.

(13) Information system.—
The term information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual.

(14) Integrity.—
The term integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

(15) National security system.—
The term national security system means an information system that is protected at all times by policies and procedures established for the processing, maintenance, use, sharing, dissemination or disposition of information that has been specifically authorized under criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy.

(16) Plan of action and milestones.—
The term plan of action and milestones, means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information:

(A) A description of the security weakness.

(B) The identity of the office or organization responsible for resolving the weakness.

(D) The scheduled completion date.

(E) Key milestones with estimated completion dates.

(F) Any changes to the original key milestone date.

(G) The source that identified the weakness.

(H) The status of efforts to correct the weakness.

(17) Principal credit reporting agency.—
The term principal credit reporting agency means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a (p)).

(18) Security incident.—
The term security incident means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures.

(19) Sensitive personal information.—
The term sensitive personal information, with respect to an individual, means any information about the individual maintained by an agency, including the following:

(A) Education, financial transactions, medical history, and criminal or employment history.

(B) Information that can be used to distinguish or trace the individuals identity, including name, social security number, date and place of birth, mothers maiden name, or biometric records.

(20) Subordinate plan.—
The term subordinate plan, also referred to as a system security plan, means a subordinate plan defines^[1] the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary.

(21) Training.—
The term training means a learning experience in which an individual is taught to execute a specific information security procedure or understand the information security common body of knowledge.

(22) Va national rules of behavior.—
The term VA National Rules of Behavior means a set of Department rules that describes the responsibilities and expected behavior of personnel with regard to information system usage.

(23) Va sensitive data.—
The term VA sensitive data means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.

[1] So in original.

38 USC 5728 - Authorization of appropriations

There are authorized to be appropriated to carry out this subchapter such sums as may be necessary for each fiscal year.