The Government Accounting Office (GAO) recently revealed in congressional testimony on information security, “Federal Agencies Need to Enhance Responses to Data Breaches,” that in 2013, 25,566 separate data breaches occurred. Each of those incidents compromised PII (personal identifying information). Those figures place the U.S. Government into the same level of negative experiences in the handling of PII as the private sector. The Open Security Foundation’s (OSF) annual report, 2013 Data Breach Trends, noted that more than 823 million records were exposed in 2013 alone. Entities falling within the “Government” sector accounted for 19.3% of the total reported incidents in 2013. All in all a rather dismal year for data security.
How is this happening?
It’s important to take a moment and review the incidents as a whole, with an eye toward the type of incidents that permitted the exposure of so much PII. The OSF report identified insider threats as responsible for 25 percent of the breaches. This percentile of culpability is further broken down into three categories – those whose intent was malevolent in nature – 9.4 percent; those who compromised the data sets inadvertently – 11.4 percent and a small percentage for which the insider was responsible, but culpability could not be determined – 4.2 percent captioned as unknown.
What to do?
Sadly the OSF report also shows that the malicious insider overwhelmingly uses social engineering methodologies on his/her colleagues, not unlike Edward Snowden and his snowing his colleagues. The data shows that the greater threat to both government and private sector remains external to the targeted entity, and while that is statistically accurate, when the law of large numbers come into play, the 9.4 percent of the breaches which were attributed to a malevolent insider the number can be a large number indeed. An investment in awareness and training on processes and procedures designed to preclude a colleague from duping their colleague into providing access to an unauthorized individual remains a wise investment.
As a whole, the GAO recommends to the Office of Management and Budget (OMB) that the guidance provided to federal agencies be updated. Recommended changes include:
- guidance on notifying affected individuals based on a determination of the level of risk;
- criteria for determining whether to offer assistance, such as credit monitoring to affected individuals; and
- revised reporting requirements for PII-related breaches to US-CERT, including time frames that better reflect the needs of the individual agencies and the government as a whole and consolidated reporting of the incidents that pose limited risk.”
The GAO continued with an additional 22 recommendations to specific government agencies to improve their response to data breaches. The Secretary of Defense was asked to direct the Secretary of the Army to implement four recommendations – the larges number of any other breaches. The Secretary of Health and Human Services was asked to direct the Administrator for the Centers for Medicare & Medicaid Services to implement three recommendations. The Chairman of the Federal Deposit Insurance Corporation was provided with three recommendations to implement. The Chairman of the Federal Reserve Board was given three recommendations to implement. The Executive Director of the Federal Retirement Thrift Investment Board was directed to “update procedures to include the number of individuals affected…” The Commissioner of Internal Revenue Service, Chairman of the Security and Exchange Commission and the Secretary of Veterans Affairs were each provided with three recommendations to implement.
While the GAO report demonstrates work remains to be accomplished, it also shows the GAO has its eye on the PII ball.