Over the past few years the number of federal data breaches involving personally identifiable information (PII) has risen significantly but agency responses for dealing with the loss of such data have been inconsistent, according to a new Government Accountability Office (GAO) report.
Between fiscal years 2009 and 2012, the number of security incidents involving PII reported by federal agencies has soared 111 percent, from 10,481 to 22,156, says the report, citing the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT).
The loss of PII data could lead to identity theft or other fraudulent activity, says the GAO in Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent (GAO-14-34). Moreover, it says the costs to respond to breaches can be substantial, both for individuals and organizations.
Citing one survey, GAO says the average per capita cost for United States companies responding to a data breach was $188 per compromised record in FY ’12. It says the survey shows that U.S. companies incurred $5.4 million per breach for costs related to detecting and reporting it and for notifying affected individuals and providing credit monitoring or other services.”
The report highlights a number of federal laws and guidelines that exist and operational practices that basically require the breaches to be reported to appropriate entities, such as US-CERT, an assessment of the impact of a suspected breach to determine if affected individuals need to be notified, offer assistance to affected individuals, and analyze the response to the breach and lessons learned.
GAO says that of the eight agencies it reviewed, most adhered to guidelines but were inconsistent in how they implemented the operational practices. For example, in a review of data breaches involving PII information at the eight agencies, GAO’s analysis shows only the Army, IRS and Veterans Administration documented the number of affected individuals. The Federal Deposit Insurance Corp. documented affected individuals in 14 of 35 incidents and the Federal Reserve Board just once in 40 incidents.
“While it may not be possible for an agency to determine the exact number of affected individuals in every case, an estimate of the number of affected individuals is important in determining the overall impact of the data breach,” GAO says.
“While the Government Accountability Office found that federal agencies do have notification plans in place, it is imperative that agencies heed GAO’s warnings and implement these policies in a more robust and consistent fashion,” Sen. Tom Carper (D-Del.), chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a statement on Wednesday.
Office of Management and Budget guidance requires US-CERT to collect data on breaches within one hour of a breach being detected. However, GAO says preparing meaningful incident reports in an hour can be difficult and the information US-CERT gets from the report may not be the best. The data is used by US-CERT to compile statistics about the number of PII related breaches, not to help agencies resolve their breaches, GAO says.
The reports to US-CERT also involve paper-based breaches or the loss of hardware containing encrypted PII data. Some agencies see little value in reporting these breaches to US-CERT as risks are limited, GAO says, which adds that US-CERT officials believe they should not be receiving reports on the paper-based PII breaches.
GAO agrees that immediate reporting of all paper-based and encrypted hardware losses to US-CERT “adds little value beyond what could be achieved by periodic consolidated reporting.”