A federal law passed nearly 40 years ago to control how the government collects information on Americans contains "major loopholes" that infringe on citizens' privacy, an American Civil Liberties Union attorney testified Tuesday.
At a Senate hearing, Christopher Calabrese, legislative counsel for the ACLU, said the Privacy Act needs to be updated since it passed in 1974.
"The act has always had some major loopholes and has become even more outdated over time," Calabrese told the Subcommittee on Oversight of Government Management, the Federal Workforce and the District of Columbia.
The federal government collects a wide array of data on Americans for purposes ranging from voter registration to issuing business licenses. The law outlines how their data can be collected and used, and requires the government to keep secure and accurate records. But Calabrese said the law no longer provides adequate protection with the growing use of computer databases to store personal information.
The federal government uses commercial databases for background checks, fraud prevention and law enforcement investigations. Such databases "frequently contain incorrect information" and are outside the protections of the law that allow citizens to correct mistakes in their records, Calabrese said.
In addition, Calabrese said that when the government fails to protect citizens' privacy, the Supreme Court has made it harder for them to find recourse. Earlier this year, the court ruled that a pilot could not sue for damages for mental and emotional distress after a federal agency revealed to another he was HIV positive -- a violation of privacy law. The court ruled that plaintiffs could only sue for damages if they suffered financial harm.
"This decision is particularly harmful because the damage from privacy disclosures is often embarrassment, anxiety and emotional distress," Calabrese said.
Calabrese also said the privacy law needs to be strengthened after the Obama administration issued new guidelines that extend the time -- from 180 days to five years -- that counterterrorism analysts can keep private information on Americans who are not suspected of a crime.
This change "now allows agencies to perform searches on people with no connection to terrorism and share the results for a wide variety of purposes with almost anyone," Calabrese said. This is "precisely the type of harm the Privacy Act was enacted to prevent," he said.
While other experts agreed that the Privacy Act has become outdated, Paul Rosenzweig, a visiting fellow at the Heritage Foundation, cautioned against creating new privacy laws that will soon be overtaken by rapid advancements in technology.
He said Congress should focus instead on increasing oversight over how the government handles citizens' personal information.
"Categorical rules are, in my judgment, a straight jacket," Rosenzweig said.
Experts at Tuesday's hearing also said Congress should pass legislation that requires federal agencies to disclose when personal data is accidentally exposed.
Six years ago, a data breach at the Department of Veteran Affairs revealed the personal information of more than 26 million veterans and active duty personnel. After that incident, the Office of Management and Budget (OMB) told federal agencies to notify citizens whose private information had been lost or stolen.
But many agencies still fail to disclose such incidents, Calabrese said, and they are growing in number. Since 2008, the federal government has been responsible for at least 78 data breaches, exposing at least 77 million records, according to the ACLU.
Earlier this year, hackers broke into the computer systems of a government contractor who handles federal retirement plans. More than 43,000 federal employees had their names, addresses and Social Security numbers compromised.
"I was one of them," Sen. Daniel Akaka (D-Hawaii) said at the hearing.
Although the FBI discovered the breach in April, the Federal Retirement Thrift Investment Board -- the agency responsible for the information -- did not disclose it until late May.
"I was concerned to learn the board had not followed the 2007 OMB guidance and did not have a data breach notification policy in place when they learned of the breach," Akaka said.
Akaka has introduced an amendment to the cybersecurity bill that requires government agencies to notify citizens whose personal information has been lost or stolen. The Senate is expected to vote on the legislation this week.