Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent
Highlights
What GAO Found
The eight federal agencies GAO reviewed generally developed, but inconsistently implemented, policies and procedures for responding to a data breach involving personally identifiable information (PII) that addressed key practices specified by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology. The agencies reviewed generally addressed key management and operational practices in their policies and procedures, although three agencies had not fully addressed all key practices. For example, the Department of the Army (Army) had not specified the parameters for offering assistance to affected individuals. In addition, the implementation of key operational practices was inconsistent across the agencies. The Army, VA, and the Federal Deposit Insurance Corporation had not documented how risk levels had been determined and the Army had not offered credit monitoring consistently. Further, none of the agencies we reviewed consistently documented the evaluation of incidents and resulting lessons learned. Incomplete guidance from OMB contributed to this inconsistent implementation. As a result, these agencies may not be taking corrective actions consistently to limit the risk to individuals from PII-related data breach incidents.
According to agency officials, the Department of Homeland Security's (DHS) role of collecting information and providing assistance on PII breaches, as currently defined by federal law and policy, has provided few benefits. OMB's guidance to agencies requires them to report each PII-related breach to DHS's U.S. Computer Emergency Readiness Team (US-CERT) within 1 hour of discovery. However, complete information from most incidents can take days or months to compile; therefore preparing a meaningful report within 1 hour can be infeasible. US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful. Likewise, US-CERT officials said they have little use for case-by-case reports of certain kinds of data breaches, such as those involving paper-based PII, because they considered such incidents to pose very limited risk. Also, the agencies GAO reviewed have not asked for assistance in responding to PII-related incidents from US-CERT, which has expertise focusing more on cyber-related topics. As a result, these agencies may be expending resources to meet reporting requirements that provide little value and divert time and attention from responding to breaches.
Why GAO Did This Study
The term "data breach" generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information. A data breach can leave individuals vulnerable to identity theft or other fraudulent activity. Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis. In fiscal year 2012, agencies reported 22,156 data breaches--an increase of 111 percent from incidents reported in 2009.
GAO was asked to review issues related to PII data breaches. The report's objectives are to (1) determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving PII and (2) assess the role of DHS in collecting information on breaches involving PII and providing assistance to agencies.
To do this, GAO analyzed data breach response plans and procedures at eight various-sized agencies and compared them to requirements in relevant laws and federal guidance and interviewed officials from those agencies and from DHS.
Recommendations
GAO is making 23 recommendations to OMB to update its guidance on federal agencies' response to a data breach and to specific agencies to improve their response to data breaches involving PII. In response to OMB and agency comments on a draft of the report, GAO clarified or deleted three draft recommendations but retained the rest, as discussed in the report.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | To improve the consistency and effectiveness of governmentwide data breach response programs, the Director of OMB should update its guidance on federal agencies' responses to a PII-related data breach to include: (1) guidance on notifying affected individuals based on a determination of the level of risk; (2) criteria for determining whether to offer assistance, such as credit monitoring to affected individuals; and (3) revised reporting requirements for PII-related breaches to US-CERT, including time frames that better reflect the needs of individual agencies and the government as a whole and consolidated reporting of incidents that pose limited risk. |
In January 2017, in response to our recommendation, OMB issued guidance entitled Preparing for and Responding to a Breach of Personally Identifiable Information that addressed all three items included in our recommendation. The guidance provided detailed factors for agencies to consider when deciding whether or not to notify individuals potentially affected by a breach. In addition, the guidance provided criteria for determining whether to offer assistance, such as credit monitoring, to affected individuals and stated that the assessed risk of harm to individuals shall inform the agency's decision of whether or not to offer guidance or provide other services. Lastly, the guidance, in conjunction with updated US-CERT reporting guidelines, provided instructions on revised reporting requirements for PII-related breaches to US-CERT, including time frames that better reflect the needs of individual agencies and the government as a whole and consolidated reporting of incidents that pose limited risk. Specifically, the guidance clarifies reporting timeframes and no longer instructs agencies to report all incidents involving PII, regardless of electronic or physical form. It also clarifies that agencies should not attempt to distinguish between suspected and confirmed breaches. As a result, OMB has better assurance that agency data breach response programs are implemented consistently and fully documented, thereby better ensuring that PII is adequately protected.
|
Department of Defense | To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to document procedures for offering assistance to affected individuals in the department's data breach response policy. |
In response to our recommendation, Army updated its guidance on assistance to be offered to affected individuals after a breach has occurred. As of June 2017, Army's Records Management & Declassification Agency website showed guidance that directed Army officials to offer assistance, such as credit monitoring, if a breach involved credit cards and to consult with their respective Privacy Officers. As a result, Army has provided reasonable assurance that it will provide consistent and reasonable protections to individuals who may have their PII compromised as a result of a breach.
|
Department of Defense | To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to document procedures for evaluating data breach responses and identifying lessons learned. |
In response to our recommendation, Army updated its guidance on post-incident activity to outline the procedures for identifying lessons learned. As of June 2017, Army's Records Management & Declassification Agency website showed guidance that required an After Action Review Team to be assembled to assess the severity of each incident and identify lessons learned to minimize the reoccurrence of similar breaches. Further, the team was directed to consider activities, such as determining the probable cause(s) and investigating measures that can be taken to prevent/minimize the risk of future occurrence, making necessary modifications to breach response strategies to improve the response process, and developing countermeasures to mitigate and remediate previous breaches while incorporating lessons learned so that past breaches do not reoccur. As a result, Army has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
Department of Defense | To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require documentation of the reasoning behind risk determinations for breaches involving PII. |
In August 2020, we verified that, in response to our recommendation, the Department of Defense's (DOD) Breach of Personally Identifiable Information (PII) Report includes a 5-factor risk analysis and impact assessment, and the agency has more consistently documented the reasoning behind risk determinations in case files. As a result, DoD has increased assurance that all incidents involving a breach of PII were appropriately assessed.
|
Department of Defense | To improve their response to data breaches involving PII, the Secretary of Defense should direct the Secretary of the Army to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices. |
n August 2020, we verified that, in response to our recommendation, the Department of Defense's (DOD) Breach of Personally Identifiable Information (PII) Report includes a section for actions taken in response to the breach, which is used to document lessons learned and actions taken to prevent recurrence for each breach. According to DOD, these are actions are summarized in reports and discussed with officials to identify changes that are needed to policy and procedure. As a result, DOD has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
Department of Health and Human Services | To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations. |
In May 2018, in response to our recommendation,CMS updated its Team Handbook: The SOP for the Incident Management Team that outlined 5 low risk categories for which standardized risk assessments have been performed and stated that privacy incidents falling outside of the 5 low categories require escalation to CMS. These incidents also require an individual risk assessment to be performed using a PII Risk Assessment Form, which requires documentation of five risk assessment factors and a field to describe the decision on the incident reporting. As a result, CMS has increased assurance that all incidents involving a breach of PII were appropriately assessed.
|
Department of Health and Human Services | To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to document the number of affected individuals associated with each incident involving PII. |
In March 2018, we verified the department responded to our recommendation by adding a field to document the total number of affected individuals for all reported breaches. As a result, HHS has decreased the risk of improperly assessing the likely risk of harm associated with each incident.
|
Department of Health and Human Services | To improve their response to data breaches involving PII, the Secretary of Health and Human Services should direct the Administrator for the Centers for Medicare & Medicaid Services to require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices. |
In March 2018, we determined that HHS, in response to our recommendation, added a section to its privacy risk assessments for corrective actions, which is used to document lessons learned, remediation actions and process break downs for each privacy incident. According to CMS, these are actions discussed at bi-weekly status meetings with the Department of Health and Human Services in order to identify changes that are needed to policy and procedure. As a result, HHS has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
Federal Deposit Insurance Corporation | To improve their response to data breaches involving PII, the Chairman of the Federal Deposit Insurance Corporation should require documentation of the reasoning behind risk determinations for breaches involving PII. |
In May 2014, in response to our recommendation, FDIC updated its Data Breach Handling Guide to include procedures for a 5-factor risk analysis and impact assessment, and the agency has more consistently documented the reasoning behind risk determinations in case files since that time. As a result, FDIC has increased assurance that all incidents involving a breach of PII were appropriately assessed.
|
Federal Deposit Insurance Corporation | To improve their response to data breaches involving PII, the Federal Deposit Insurance Corporation should document the number of affected individuals associated with each incident involving PII. |
In May 2014, in response to our recommendation, FDIC updated its Data Breach Handling Guide, to include procedures for a 5-factor risk analysis and impact assessment, which includes documenting the number of individuals or entities affected. The agency has more consistently documented the number of affected individuals in case files since that time. As a result, FDIC has decreased the risk of improperly assessing the likely risk of harm associated with each incident.
|
Federal Deposit Insurance Corporation | To improve their response to data breaches involving PII, the Chairman of the Federal Deposit Insurance Corporation should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices. |
In May 2014, in response to our recommendation, FDIC updated its Data Breach Handling Guide, to include an after action review, which is to coordinate an assessment of the "lessons learned" and to consider whether modifications to the incident handling procedures are needed. It has more consistently documented lessons learned in case files since that time. As a result, FDIC has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
Federal Reserve System | To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations. |
In 2018, we verified that, in response to our recommendation, FRB updated its policy on data breach notification which states the Core Response Group will determine whether to notify affected parties, individuals or companies, or external parties based on its assessment of the likely risk of harm caused by the breach. The policy also states that the Information Security Officer will document the risk assessment performed by the Core Response Group, including a description of the type, manner, and scope of the breach, and the reasoning behind the risk determinations. As a result, FRB has increased assurance that all incidents involving a breach of PII were appropriately assessed.
|
Federal Reserve System | To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should document the number of affected individuals associated with each incident involving PII. |
In August 2018, we verified that, in response to our recommendation, FRB created a repository to collect information about each breach including the total number of affected individuals. As a result, FRB has decreased the risk of improperly assessing the likely risk of harm associated with each incident.
|
Federal Reserve System | To improve their response to data breaches involving PII, the Chairman of the Federal Reserve Board should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices. |
In August 2018, we verified that, in response to our recommendation, FRB updated its policy on data breach notification to state that its Core Response Group will evaluate the scope of the breach and the events that led to the breach and review the security procedures, including the procedures for access to the information, to determine whether changes are necessary, including recommending remedial action such as further employee education. Further, the policy states that for all breaches involving PII, the Chief Privacy Officer will evaluate the response to the data breaches and identify lessons learned that may be incorporated into the Board's security and privacy policies and practices. As a result, FRB has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
Internal Revenue Service | To improve their response to data breaches involving PII, the Commissioner of the Internal Revenue Service should update procedures to include the number of individuals affected as a factor that should be considered in assessing the likely risk of harm. |
In June 2014, in response to our recommendation, IRS updated its incident response policies to include the number of individuals affected as a factor when determining when and how to provide notification to affected individuals. As a result, IRS has reasonable assurance that it is appropriately determining the likely risk of harm to their agencies and level of impact of a suspected data breach.
|
Internal Revenue Service | To improve their response to data breaches involving PII, the Commissioner of the Internal Revenue Service should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices. |
In June 2017, in response to our recommendation, IRS provided evidence to show that it has prepared an annual trend analysis report for fiscal years 2015 and 2016 that includes an analysis of the incidents based on the types of assets, locations, and risk assessment code. According to their Breach Response Guide, the report will be shared with the Privacy Compliance office to determine if there are any processes for which a Business PII Risk Assessment (BPRA) can be performed. The BPRA is used to identify vulnerabilities and make recommendations for changes to improve the agency's security and privacy policies and practices. As a result, IRS has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
United States Securities and Exchange Commission | To improve their response to data breaches involving PII, the Chairman of the Securities and Exchange Commission should require documentation of the risk assessment performed for breaches involving PII, including the reasoning behind risk determinations. |
In August 2015, we determined that SEC, in response to our recommendation, implemented changes to its incident reporting policy so that smart phones, being verified as encrypted using FIPS 140-2 approved modules, are no longer reported to US-CERT or treated as incidents. All of the other incidents we reviewed during the engagement included documented risk assessments. Thus, as a result of eliminating the reporting of incidents involving encrypted mobile devices, the SEC is no longer incomplete in documenting risk assessments for each incident involving PII and has increased assurance that all incidents involving a breach of PII were appropriately assessed.
|
United States Securities and Exchange Commission | To improve their response to data breaches involving PII, the Chairman of the Securities and Exchange Commission should document the number of affected individuals associated with each incident involving PII. |
In August 2015, we determined that SEC, in response to our recommendation, implemented changes to its incident reporting policy so that smart phones, being verified as encrypted using FIPS 140-2 approved modules, are no longer reported to US-CERT or treated as incidents. Thus, all of the incidents we identified that did not include documentation of the number of affected individuals are no longer considered incidents. As a result of this change in reporting, the SEC is no longer incomplete in documenting the number of affected individuals for reportable incidents and has decreased the risk of improperly assessing the likely risk of harm associated with each incident.
|
United States Securities and Exchange Commission | To improve their response to data breaches involving PII, the Chairman of the Securities and Exchange Commission should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices. |
In August 2015, we determined that SEC privacy and security staff, in response to our recommendation, held manager forums during the 2015 regional office site visits and supplemental PII training to discuss lessons learned from previous incidents and get feedback on mitigation efforts. As a result, SEC has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
Department of Veterans Affairs | To improve their response to data breaches involving PII, the Secretary of Veterans Affairs should require documentation of the reasoning behind risk determinations for breaches involving PII. |
In October 2015, in response to our recommendation, VA updated its guidance on data breaches to include a detailed description of its standard risk assessment criteria. The guidance also required the Incident Resolution Service to perform a full risk assessment when an incident falls outside of the standard criteria. The risk assessment tool requires documentation of the risk assessment factors and variables considered in the assessment. As a result, VA has increased assurance that all incidents involving a breach of PII were appropriately assessed.
|
Department of Veterans Affairs | To improve their response to data breaches involving PII, the Secretary of Veterans Affairs should document the number of affected individuals associated with each incident involving PII. |
In February 2014, the department responded to our recommendation by adding a field to document the total number of affected individuals for all reported breaches. As a result, VA has decreased the risk of improperly assessing the likely risk of harm associated with each incident.
|
Department of Veterans Affairs | To improve their response to data breaches involving PII, the Secretary of Veterans Affairs should require an evaluation of the agency's response to data breaches involving PII to identify lessons learned that could be incorporated into agency security and privacy policies and practices. |
In July 2016, in response to our recommendation, the Department of Veterans Affairs (VA) updated its guidance on data breaches to assign roles and responsibilities for Facility Chief Information Officers, Privacy Officers, and Information Security Officers to assess lessons learned from breaches of sensitive personal information. For example, the Facility Chief Information Officers are responsible for participating with the facility incident response staff in a post mortem review of all documentation about a incident/suspected incident and to implement best practices as appropriate based on the review. Privacy Officers and Information Security Officers are responsible for logging the resolution of the incident and raising user awareness by capturing lessons learned. As a result, VA has decreased the risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented.
|
Federal Retirement Thrift Investment Board | To improve their response to data breaches involving PII, the Secretary the Federal Retirement Thrift Investment Board should update procedures to include the number of individuals affected as a factor that should be considered in assessing the likely risk of harm. |
In June 2017, in response to our recommendation, the Federal Retirement Thrift Investment Board (FRTIB) updated its incident response procedures to consider the number of potentially impacted individuals when evaluating the risk level of an incident involving PII. As a result, FRTIB has reasonable assurance that it is appropriately determining the likely risk of harm to their agencies and level of impact of a suspected data breach.
|