GAO: Agency Responses to Breaches Are Inconsistent, OMB Guidance Needs Update

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Jan. 8 --Eight federal agencies have inconsistently implemented policies and procedures for responding to breaches of personally identifiable information (PII), the Government Accountability Office said in a report released Jan. 8.

The GAO also concluded that the Department of Homeland Security's role in collecting information and providing assistance on PII-related breaches doesn't offer many benefits to federal agencies.

The report cited a substantial increase in the number of breaches in the federal government. “Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis,” the GAO said in the report. “In fiscal year 2012, agencies reported 22,156 data breaches--an increase of 111 percent from incidents reported in 2009.”

The GAO produced the report in response to a request by Sens. Tom Carper (D-Del.) and Tom Coburn (R-Okla.), chairman and ranking member of the Senate Committee on Homeland Security and Governmental Affairs, and Sen. Susan Collins (R-Maine), the committee's former chairman and ranking member.

The office recommended that the Office of Management and Budget update its guidance on federal agency responses to breaches involving PII. It also made 22 specific recommendations to the agencies.

“While the Government Accountability Office found that federal agencies do have notification plans in place, it is imperative that agencies heed GAO's warnings and implement these policies in a more robust and consistent fashion,” Carper said in a Jan. 8 statement. “Furthermore, the Office of Management and Budget needs to ensure that it is updating its guidance and conducting adequate oversight of agencies' implementation.”

“It's also critical that agencies utilize all of the tools and resources at their disposal to prevent a data breach from happening in the first place, such as the cybersecurity resources at the Department of Homeland Security,” Carper added. He said he plans to reintroduce data security legislation, such as legislation previously introduced with Sen. Roy Blunt (R-Mo.). He has introduced such measures several times, most recently in 2011 .

Implementation of Policies, Procedures

All of the agencies had policies for two “key management practices,” establishing a data breach response team and providing employee training requirements, the GAO said.

Although all of the agencies had policies for reporting data breaches, only five of the agencies completely addressed the other three “key operational practices” in their policies, the GAO found. For example, the Department of the Army did not have a documented policy for offering services to affected individuals, such as credit monitoring.

In addition, the implementation of those “key operational practices” was not always consistent, according to the report. All of the agencies examined prepared breach reports, but not all of those agencies consistently implemented the other three operational practices, the GAO said. For instance, the Army, Department of Veterans Affairs and Federal Deposit Insurance Corporation failed to document how they determined their risk levels.

“Incomplete guidance from the OMB allowed these agencies to implement data breach response policies and procedures inconsistently,” the GAO said. “Ensuring that agency data breach response programs are consistent and fully documented is an important means of ensuring that PII is fully protected.”

Role of DHS

OMB guidance requires that federal agencies report a PII-related breach to the DHS U.S. Computer Emergency Response Team (US-CERT) within one hour of the discovery of the breach.

However, based on its interviews with officials at federal agencies and US-CERT, the GAO said that this requirement “may be difficult to fulfill and of limited value.” US-CERT officials indicated that it could receive aggregate information at a later time, such as on a weekly or monthly basis.

“Until a more reasonable time frame is established that facilitates full reporting of meaningful information, much of the PII data breach information that US-CERT collects may be of limited value in understanding PII data breaches in government agencies,” the GAO said.

Agency officials also raised concerns about the need to report to US-CERT paper-based PII breaches or those involving the loss of hardware containing encrypted PII because they are of limited risk, according to the report.

The GAO said that DHS uses the data it collects mainly to compile statistical data, not to help agencies address breaches. The majority of the agencies reviewed did not seek technical assistance from US-CERT about breaches, it added.

“As a result, these agencies may be expending resources to meet reporting requirements that provide little value and divert time and attention from responding to breaches,” the GAO said.

The report, “Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent” (GAO-14-34), is available at