Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Jan. 8 --Eight federal agencies have inconsistently implemented policies and procedures for responding to breaches of personally identifiable information (PII), the Government Accountability Office said in a report released Jan. 8.
The GAO also concluded that the Department of Homeland Security's role in collecting information and providing assistance on PII-related breaches doesn't offer many benefits to federal agencies.
The report cited a substantial increase in the number of breaches in the federal government. “Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis,” the GAO said in the report. “In fiscal year 2012, agencies reported 22,156 data breaches--an increase of 111 percent from incidents reported in 2009.”
The GAO produced the report in response to a request by Sens. Tom Carper (D-Del.) and Tom Coburn (R-Okla.), chairman and ranking member of the Senate Committee on Homeland Security and Governmental Affairs, and Sen. Susan Collins (R-Maine), the committee's former chairman and ranking member.
The office recommended that the Office of Management and Budget update its guidance on federal agency responses to breaches involving PII. It also made 22 specific recommendations to the agencies.
“While the Government Accountability Office found that federal agencies do have notification plans in place, it is imperative that agencies heed GAO's warnings and implement these policies in a more robust and consistent fashion,” Carper said in a Jan. 8 statement. “Furthermore, the Office of Management and Budget needs to ensure that it is updating its guidance and conducting adequate oversight of agencies' implementation.”
“It's also critical that agencies utilize all of the tools and resources at their disposal to prevent a data breach from happening in the first place, such as the cybersecurity resources at the Department of Homeland Security,” Carper added. He said he plans to reintroduce data security legislation, such as legislation previously introduced with Sen. Roy Blunt (R-Mo.). He has introduced such measures several times, most recently in 2011 .
All of the agencies had policies for two “key management practices,” establishing a data breach response team and providing employee training requirements, the GAO said.
Although all of the agencies had policies for reporting data breaches, only five of the agencies completely addressed the other three “key operational practices” in their policies, the GAO found. For example, the Department of the Army did not have a documented policy for offering services to affected individuals, such as credit monitoring.
In addition, the implementation of those “key operational practices” was not always consistent, according to the report. All of the agencies examined prepared breach reports, but not all of those agencies consistently implemented the other three operational practices, the GAO said. For instance, the Army, Department of Veterans Affairs and Federal Deposit Insurance Corporation failed to document how they determined their risk levels.
“Incomplete guidance from the OMB allowed these agencies to implement data breach response policies and procedures inconsistently,” the GAO said. “Ensuring that agency data breach response programs are consistent and fully documented is an important means of ensuring that PII is fully protected.”
OMB guidance requires that federal agencies report a PII-related breach to the DHS U.S. Computer Emergency Response Team (US-CERT) within one hour of the discovery of the breach.
However, based on its interviews with officials at federal agencies and US-CERT, the GAO said that this requirement “may be difficult to fulfill and of limited value.” US-CERT officials indicated that it could receive aggregate information at a later time, such as on a weekly or monthly basis.
“Until a more reasonable time frame is established that facilitates full reporting of meaningful information, much of the PII data breach information that US-CERT collects may be of limited value in understanding PII data breaches in government agencies,” the GAO said.
Agency officials also raised concerns about the need to report to US-CERT paper-based PII breaches or those involving the loss of hardware containing encrypted PII because they are of limited risk, according to the report.
The GAO said that DHS uses the data it collects mainly to compile statistical data, not to help agencies address breaches. The majority of the agencies reviewed did not seek technical assistance from US-CERT about breaches, it added.
“As a result, these agencies may be expending resources to meet reporting requirements that provide little value and divert time and attention from responding to breaches,” the GAO said.
The report, “Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent” (GAO-14-34), is available at http://www.gao.gov/assets/660/659572.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)