The legislation filed by Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform, calls for the White House Office of Management and Budget (OMB) to set disclosure policies and standards for federal agencies to follow in the event of breaches involving personal data.

The OMB already toughened the internal breach-notification requirements for agencies via a July 12 memo issued by de facto federal CIO Karen Evans. Agencies now must report any incident involving personally identifiable information to the U.S. Department of Homeland Security within one hour of discovering it, Evans wrote. That includes both confirmed and suspected breaches, she added.

In a statement this week, Davis said his attempt to amend the Federal Information Security Management Act also is aimed at forcing agencies to disclose breaches more quickly. 'We have seen too many recent examples when sensitive data has been lost or stolen and agencies have moved too slowly to acknowledge the problem and take steps to limit the potential damage,' he said.

For instance, the theft of a laptop PC and external disk drive that triggered the breach at the VA took place on May 3. VA Secretary R. James Nicholson wasn't informed of the incident until May 16, and the agency waited another seven days before publicly disclosing it.

At a hearing held by the Senate Committee on Veterans' Affairs Thursday, Nicholson testified about the dilemma he faced over whether the VA should further delay the disclosure or go public with the news and potentially alert the thief about the kind of data that the disk drive contained. "We had a very big pow-wow, and there were pros and cons, and [ultimately] I made the decision that we needed to inform,' he said.