Information Security:

Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent

GAO-14-34: Published: Dec 9, 2013. Publicly Released: Jan 8, 2014.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The eight federal agencies GAO reviewed generally developed, but inconsistently implemented, policies and procedures for responding to a data breach involving personally identifiable information (PII) that addressed key practices specified by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology. The agencies reviewed generally addressed key management and operational practices in their policies and procedures, although three agencies had not fully addressed all key practices. For example, the Department of the Army (Army) had not specified the parameters for offering assistance to affected individuals. In addition, the implementation of key operational practices was inconsistent across the agencies. The Army, VA, and the Federal Deposit Insurance Corporation had not documented how risk levels had been determined and the Army had not offered credit monitoring consistently. Further, none of the agencies we reviewed consistently documented the evaluation of incidents and resulting lessons learned. Incomplete guidance from OMB contributed to this inconsistent implementation. As a result, these agencies may not be taking corrective actions consistently to limit the risk to individuals from PII-related data breach incidents.

According to agency officials, the Department of Homeland Security's (DHS) role of collecting information and providing assistance on PII breaches, as currently defined by federal law and policy, has provided few benefits. OMB's guidance to agencies requires them to report each PII-related breach to DHS's U.S. Computer Emergency Readiness Team (US-CERT) within 1 hour of discovery. However, complete information from most incidents can take days or months to compile; therefore preparing a meaningful report within 1 hour can be infeasible. US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful. Likewise, US-CERT officials said they have little use for case-by-case reports of certain kinds of data breaches, such as those involving paper-based PII, because they considered such incidents to pose very limited risk. Also, the agencies GAO reviewed have not asked for assistance in responding to PII-related incidents from US-CERT, which has expertise focusing more on cyber-related topics. As a result, these agencies may be expending resources to meet reporting requirements that provide little value and divert time and attention from responding to breaches.

Why GAO Did This Study

The term "data breach" generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information. A data breach can leave individuals vulnerable to identity theft or other fraudulent activity. Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis. In fiscal year 2012, agencies reported 22,156 data breaches--an increase of 111 percent from incidents reported in 2009.

GAO was asked to review issues related to PII data breaches. The report's objectives are to (1) determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving PII and (2) assess the role of DHS in collecting information on breaches involving PII and providing assistance to agencies.

To do this, GAO analyzed data breach response plans and procedures at eight various-sized agencies and compared them to requirements in relevant laws and federal guidance and interviewed officials from those agencies and from DHS.

What GAO Recommends

GAO is making 23 recommendations to OMB to update its guidance on federal agencies' response to a data breach and to specific agencies to improve their response to data breaches involving PII. In response to OMB and agency comments on a draft of the report, GAO clarified or deleted three draft recommendations but retained the rest, as discussed in the report.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve the consistency and effectiveness of governmentwide data breach response programs, the Director of OMB should update its guidance on federal agencies' responses to a PII-related data breach to include: (1) guidance on notifying affected individuals based on a determination of the level of risk; (2) criteria for determining whether to offer assistance, such as credit monitoring to affected individuals; and (3) revised reporting requirements for PII-related breaches to US-CERT, including time frames that better reflect the needs of individual agencies and the government as a whole and consolidated reporting of incidents that pose limited risk.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to document procedures for offering assistance to affected individuals in the department's data breach response policy.

    Agency Affected: Department of Defense

  3. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to document procedures for evaluating data breach responses and identifying lessons learned.

    Agency Affected: Department of Defense

  4. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency Affected: Department of Defense

  5. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency Affected: Department of Defense

  6. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency Affected: Department of Health and Human Services

  7. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII.

    Agency Affected: Department of Health and Human Services

  8. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency Affected: Department of Health and Human Services

  9. Status: Closed - Implemented

    Comments: In May 2014, in response to our recommendation, FDIC updated its Data Breach Handling Guide to include procedures for a 5-factor risk analysis and impact assessment, and the agency has more consistently documented the reasoning behind risk determinations in case files since that time. As a result, FDIC has increased assurance that all incidents involving a breach of PII were appropriately assessed.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Deposit Insurance Corporation should require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency Affected: Federal Deposit Insurance Corporation

  10. Status: Closed - Implemented

    Comments: In May 2014, in response to our recommendation, FDIC updated its Data Breach Handling Guide, to include procedures for a 5-factor risk analysis and impact assessment, which includes documenting the number of individuals or entities affected. The agency has more consistently documented the number of affected individuals in case files since that time. As a result, FDIC has decreased the risk of improperly assessing the likely risk of harm associated with each incident.

    Recommendation: To improve their response to data breaches involving PII, the Federal Deposit Insurance Corporation should document the number of affected individuals associated with each incident involving PII.

    Agency Affected: Federal Deposit Insurance Corporation

  11. Status: Closed - Implemented

    Comments: In May 2014, in response to our recommendation, FDIC updated its Data Breach Handling Guide, to include an after action review, which is to coordinate an assessment of the "lessons learned" and to consider whether modifications to the incident handling procedures are needed. It has more consistently documented lessons learned in case files since that time. As a result, FDIC has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Deposit Insurance Corporation should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency Affected: Federal Deposit Insurance Corporation

  12. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency Affected: Federal Reserve System

  13. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII.

    Agency Affected: Federal Reserve System

  14. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency Affected: Federal Reserve System

  15. Status: Closed - Implemented

    Comments: In June 2014, in response to our recommendation, IRS updated its incident response policies to include the number of individuals affected as a factor when determining when and how to provide notification to affected individuals. As a result, IRS has reasonable assurance that it is appropriately determining the likely risk of harm to their agencies and level of impact of a suspected data breach.

    Recommendation: To improve their response to data breaches involving PII, the Commissioner of the Internal Revenue Service should update procedures to include the number of individuals affected as a factor that should be considered in assessing the likely risk of harm.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  16. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Commissioner of the Internal Revenue Service should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  17. Status: Closed - Implemented

    Comments: In August 2015, we determined that SEC, in response to our recommendation, implemented changes to its incident reporting policy so that smart phones, being verified as encrypted using FIPS 140-2 approved modules, are no longer reported to US-CERT or treated as incidents. All of the other incidents we reviewed during the engagement included documented risk assessments. Thus, as a result of eliminating the reporting of incidents involving encrypted mobile devices, the SEC is no longer incomplete in documenting risk assessments for each incident involving PII and has increased assurance that all incidents involving a breach of PII were appropriately assessed.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Securities and Exchange Commission should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations.

    Agency Affected: United States Securities and Exchange Commission

  18. Status: Closed - Implemented

    Comments: In August 2015, we determined that SEC, in response to our recommendation, implemented changes to its incident reporting policy so that smart phones, being verified as encrypted using FIPS 140-2 approved modules, are no longer reported to US-CERT or treated as incidents. Thus, all of the incidents we identified that did not include documentation of the number of affected individuals are no longer considered incidents. As a result of this change in reporting, the SEC is no longer incomplete in documenting the number of affected individuals for reportable incidents and has decreased the risk of improperly assessing the likely risk of harm associated with each incident.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Securities and Exchange Commission should document the number of affected individuals associated with each incident involving PII.

    Agency Affected: United States Securities and Exchange Commission

  19. Status: Closed - Implemented

    Comments: In August 2015, we determined that SEC privacy and security staff, in response to our recommendation, held manager forums during the 2015 regional office site visits and supplemental PII training to discuss lessons learned from previous incidents and get feedback on mitigation efforts. As a result, SEC has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.

    Recommendation: To improve their response to data breaches involving PII, the Chairman of the Securities and Exchange Commission should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency Affected: United States Securities and Exchange Commission

  20. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Veterans Affairs should require documentation of the reasoning behind risk determinations for breaches involving PII.

    Agency Affected: Department of Veterans Affairs

  21. Status: Closed - Implemented

    Comments: In February 2014, the department responded to our recommendation by adding a field to document the total number of affected individuals for all reported breaches. As a result, VA has decreased the risk of improperly assessing the likely risk of harm associated with each incident.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Veterans Affairs should document the number of affected individuals associated with each incident involving PII.

    Agency Affected: Department of Veterans Affairs

  22. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary of Veterans Affairs should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices.

    Agency Affected: Department of Veterans Affairs

  23. Status: Open

    Comments: We have not yet validated agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

    Recommendation: To improve their response to data breaches involving PII, the Secretary the Federal Retirement Thrift Investment Board should update procedures to include the number of individuals affected as a factor that should be considered in assessing the likely risk of harm.

    Agency Affected: Federal Retirement Thrift Investment Board

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Looking for more? Browse all our products here