The Government Accountability Office (GAO) recommends in a new report that federal agencies improve how they handle unauthorized disclosures of sensitive personal information.
The 67-page report found that while agencies have “data breach” response plans in place, they do not consistently notify potential victims when disclosures of Social Security numbers and other personally identifiable information are discovered. The GAO based its data security breach findings on a sampling of agencies of varying sizes, including the Army, Federal Deposit Insurance Corp. (FDIC), Securities and Exchange Commission (SEC) and Veterans Affairs (VA) Department.
“While the Army and SEC notified affected individuals for all of their high-risk breaches,” five other agencies “did not always notify affected individuals in cases where a high-risk determination was made,” the GAO wrote. “For example, for the majority of high-risk incidents at FDIC, affected individuals were not notified. Similarly, almost as many high-risk incidents at VA did not involve notification as those that did have notification.”
The GAO recommended that the Office of Management and Budget (OMB) update its guidance to federal agencies on data breach responses. The GAO also urged the agencies it reviewed to improve their data breach response procedures.
Data breaches have been a significant and growing problem for the federal government. They can occur for many reasons, ranging from the loss of a laptop computer to a cyber attack by a foreign adversary. They can leave individuals vulnerable to identity theft or other kinds of fraud. Despite taking steps to protect personally identifiable information, federal agencies reported 22,156 data breaches in fiscal year 2012, a 111-percent increase from 2009, according to the GAO.
The GAO wrote its report at the request of Sens. Thomas Carper (D-Del) and Tom Coburn (R-Okla.), chairman and ranking member, respectively, of the Senate Committee on Homeland Security and Governmental Affairs, and Sen. Susan Collins (R-Maine). In commenting on the document, Carper said Jan. 8 that he plans to reintroduce legislation he has promoted for several years “to ensure that businesses, federal agencies, and others that hold sensitive information respond swiftly and effectively to protect consumers in the unfortunate event of a breach.”