The Government Accountability Office has released a new report, “Federal Agencies Need to Enhance Responses to Data Breaches (GAO-14-487T),” detailing Congressional testimony by Gregory Wilshusen, the GAO’s director of information security issues, that finds that agencies need to do more to protect the privacy of personally identifiable information. Here’s an excerpt:
As GAO has previously reported, major federal agencies continue to face challenges in fully implementing all components of an agency-wide information security program, which is essential for securing agency systems and the information they contain—including PII. Specifically, agencies have had mixed results in addressing the eight components of an information security program called for by law, and most agencies had weaknesses in implementing specific security controls. GAO and inspectors general have continued to make recommendations to strengthen agency policies and practices.
In December 2013, GAO reported on agencies’ responses to PII data breaches and found that they were inconsistent and needed improvement. Although selected agencies had generally developed breach-response policies and procedures, their implementation of key practices called for by Office of Management and Budget (OMB) and National Institute of Standards and Technology guidance was inconsistent. For example,
- only one of seven agencies reviewed had documented both an assigned risk level and how that level was determined for PII data breaches; two agencies documented the number of affected individuals for each incident; and two agencies notified affected individuals for all high-risk breaches.
- the seven agencies did not consistently offer credit monitoring to affected individuals; and
- none of the seven agencies consistently documented lessons learned from their breach responses.