Privacy:

Lessons Learned about Data Breach Notification

GAO-07-657: Published: Apr 30, 2007. Publicly Released: Apr 30, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6240
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

A May 2006 data breach at the Department of Veterans Affairs (VA) and other similar incidents since then have heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding effectively to a breach that poses privacy risks. GAO's objective was to identify lessons learned from the VA data breach and other similar federal data breaches regarding effectively notifying government officials and affected individuals about data breaches. To address this objective, GAO analyzed documentation and interviewed officials at VA and five other agencies regarding their responses to data breaches and their progress in implementing standardized data breach notification procedures. The cases at the other agencies were chosen because, like the VA case, they involved loss or theft of computing equipment and relatively large numbers of affected individuals (10,000 or more).

Based on the experience of VA and other federal agencies in responding to data breaches, GAO identified the following lessons learned regarding how and when to notify government officials, affected individuals, and the public: (1) rapid internal notification of key government officials is critical; (2) because incidents vary, a core group of senior officials should be designated to make decisions regarding an agency's response; (3) mechanisms must be in place to obtain contact information for affected individuals; (4) determining when to offer credit monitoring to affected individuals requires risk-based management decisions; (5) interaction with the public requires careful coordination and can be resource-intensive; (6) internal training and awareness are critical to timely breach response, including notification; and (7) contractor responsibilities for data breaches should be clearly defined. These lessons have largely been addressed in guidance issued in 2006 from the Office of Management and Budget (OMB), which is responsible for overseeing security and privacy within the federal government. However, guidance to assist agency officials in making consistent risk-based determinations about when to offer credit monitoring or other protection services has not been developed. Without such guidance, agencies are likely to continue to make inconsistent decisions about what protections to offer affected individuals, potentially leaving some people more vulnerable than others.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendation for Executive Action

    Recommendation: The Director of OMB should develop guidance for federal agencies on conducting risk analyses to determine when to offer credit monitoring and when to contract for an alternative form of monitoring, such as data breach monitoring, to assist individuals at risk of identity theft as a result of a federal data breach.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Not Implemented

    Comments: In written comments on our report, the Administrator, Office of E-Government and Information Technology, Office of Management and Budget (OMB), stated that the office concurred with our recommendation. OMB's stated position was that further guidance and a risk-based framework would be sufficient to enable federal agencies to determine the appropriate response to a federal data breach commensurate with the level of risk of identify theft. On May 22, 2007, OMB issued guidance--Safeguarding Against and Responding to the Breach of Personally Identifiable Information--that is consistent with its stated position and offers a general framework for a risk-based response to data breaches. However, this document does not provide guidance to agencies specifically on when to offer credit monitoring or when to contract for an alternative form of monitoring, such as data breach monitoring, to assist individuals at risk of identity theft. As of August 2011, OMB has not revised this guidance or created new guidance to address when to offer credit monitoring or other services to individuals.

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Jun 28, 2012

    Looking for more? Browse all our products here