Agencies Uneven in PII Breach ResponseGAO: Assistance from DHS Provides Few Benefits
The eight agencies are the departments of the Army and Veterans Affairs, Centers for Medicare and Medicaid Services, Federal Deposit Insurance Corp., Federal Reserve Board, Federal Retirement Thrift Investment Board, Internal Revenue Service and Securities and Exchange Commission.
Gregory Wilshusen, GAO director of information security issues, says in the report that agency officials told examiners that the role of the Department of Homeland Security, including its U.S. Computer Emergency Readiness Team, in collecting information and providing assistance on PII breaches, as defined by federal law and policy, has provided few benefits.
"While U.S.-CERT plays an important role in responding to cyber incidents, including coordinating government-wide responses and providing technical assistance to agencies, the utility of its role in responding to PII incidents is more limited, particularly when system or network issues are not involved," Wilshusen says. "Given this limited role, the requirement to report all PII-related incidents within one hour provides little value."
Wilshusen says immediate reporting of individual incidents involving the loss of hardware containing encrypted PII or paper-based PII to U.S.-CERT adds little value beyond what could be achieved by periodic consolidated reporting. "Agencies may be making efforts to meet the reporting requirements that could be diverting attention and limited resources from other breach response activities," he says.
The agencies GAO reviewed generally addressed key management and operational practices in their policies and procedures, although three agencies had not fully addressed all key practices. For example, GAO cites the Army failed to specify the parameters for offering assistance to individuals whose PII had been exposed.
Implementation of key operational practices was inconsistent across the agencies. GAO says the Army, VA and FDIC failed to document how risk levels had been determined and the Army had not been consistent in offering credit monitoring to those affected by the breaches.
Wilshusen says none of the agencies GAO reviewed consistently documented the evaluation of incidents and resulting lessons learned, adding that incomplete guidance from the Office of Management and Budget contributed to this inconsistent implementation. "These agencies may not be taking corrective actions consistently to limit the risk to individuals from PII-related data breach incidents," he says.
Sen. Tom Carper, the Delaware Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee, says OMB needs to ensure that it updates its guidance and conduct adequate oversight of agencies' implementation. Carper says he intends to reintroduce the Data Security Act, which he offered in the last Congress as an amendment to the Cybersecurity Act of 2012. The Cybersecurity Act failed to come up for a vote in the Senate (see Senate, Again, Fails to Halt Filibuster). The Data Security Act would have proscribed security procedures to protect consumers' personal information in an information breach.
Citing data from CERT, GAO says the number of security incidents involving PII reported by federal agencies soared by 111 percent to 22,156 incidents in fiscal year 2012 from 10,481 incidents in FY 2009.
Major breaches in recent years involving the loss of PII include the May 2012 incident in which the Federal Retirement Thrift Investment Board reported a sophisticated cyber-attack on the computer of a contractor that provided services to the Thrift Savings Plan and exposed 43,587 individuals' names, addresses and Social Security numbers and 79,614 individuals' Social Security numbers (see Why Did Hackers Hit the Fed Pension Plan?).
Two months earlier, a laptop computer containing sensitive PII was stolen from a NASA employee at the Kennedy Space Center, exposing the names, Social Security numbers, dates of birth and other personal information of 2,300 employees (see NASA Encrypting Laptops After Breach).
Series of Recommendations
GAO, in its report, offered specific recommendations to each of the eight, audited agencies.
In addition, GAO recommends that OMB update its guidance on PII-related breaches to federal agencies to include:
- Guidance on notifying affected individuals based on a determination of the level of risk;
- Criteria for determining whether to offer assistance, such as credit monitoring, to affected individuals; and
- Revised reporting requirements for PII-related breaches to U.S.-CERT, including time frames that better reflect the needs of individual agencies and the government as a whole, and consolidated reporting of incidents that pose limited risk.
Jim Crumpacker, director of Homeland Security's departmental GAO-Inspector General Liaison Office, says in his response to the audit that DHS is preparing new incident reporting guidance that's being presented to the Federal Chief Information Officers Council's security program management subcommittee.
"Ultimately," he says, "DHS's goal is to begin phasing in any new incident reporting protocol issued by OMB and to provide all departments and agencies with sufficient grace period to ensure their incident reporting systems and procedures can be transitioned smoothly to the new system by Dec. 31."