Kellie Lunney reports that the recent TSP breach has inspired at least one Senator to try to require all federal agencies to have a breach notification policy in place. You’d have thought they would have one already, wouldn’t you, but apparently not….
The head of the Thrift Savings Plan expressed regret on Tuesday over not having a policy in place earlier to notify participants of security breaches to their retirement accounts.
The Federal Retirement Thrift Investment Board implemented a breach notification plan in June, Gregory Long, the board’s executive director, said during a hearing on Capitol Hill. That was about two months after the board learned of a 2011 cyberattack that led to the unauthorized access to the accounts of as many as 123,000 plan participants and other recipients of TSP plan payments.
Long blamed “a lack of resources” for the board’s inability to develop a plan to inform TSP participants of security breaches when they occur.
[…]
Sen. Daniel Akaka, D-Hawaii, said he was concerned the board did not have a breach notification policy when the agency learned about the cyberattack in April. Akaka, who chairs the Senate Homeland Security and Governmental Affairs federal workforce subcommittee has asked the Government Accountability Office to determine how many other agencies have failed to incorporate OMB’s guidance and whether sufficient oversight of compliance exists. Akaka was one of 43 members of Congress who was affected by the security breach. He has offered an amendment to the 2012 Cybersecurity Act, which the Senate is considering Tuesday evening, that would make it mandatory for every federal agency to have a breach notification policy in place.
Read more on GovExec