From a GAO report (GAO-14-487T) released today, the highlights:
The number of reported information security incidents involving personally identifiable information (PII) has more than doubled over the last several years (see figure).
As GAO has previously reported, major federal agencies continue to face challenges in fully implementing all components of an agency-wide information security program, which is essential for securing agency systems and the information they contain—including PII. Specifically, agencies have had mixed results in addressing the eight components of an information security program called for by law, and most agencies had weaknesses in implementing specific security controls. GAO and inspectors general have continued to make recommendations to strengthen agency policies and practices.
In December 2013, GAO reported on agencies’ responses to PII data breaches and found that they were inconsistent and needed improvement. Although selected agencies had generally developed breach-response policies and procedures, their implementation of key practices called for by Office of Management and Budget (OMB) and National Institute of Standards and Technology guidance was inconsistent. For example,
- only one of seven agencies reviewed had documented both an assigned risk level and how that level was determined for PII data breaches; two agencies documented the number of affected individuals for each incident; and two agencies notified affected individuals for all high-risk breaches.
- the seven agencies did not consistently offer credit monitoring to affected individuals; and
- none of the seven agencies consistently documented lessons learned from their breach responses.
Incomplete guidance from OMB contributed to this inconsistent implementation. For example, OMB’s guidance does not make clear how agencies should use risk levels to determine whether affected individuals should be notified. In addition, the nature and timing of reporting requirements may be too stringent.
Download the full report from GAO