GAO Deems PII Protection a Key Federal ChallengeGov't PII Exposure Incidents More than Double in Five Years
GAO, in its high-risk report, calls on Congress to amend the Privacy Act and E-Government Act to more fully protect PII collected, used and maintained by federal agencies.
Since 1997, GAO - the investigative arm of Congress - has deemed as a high risk the security of federal information systems. In 2003, it added cyber critical infrastructure protection to its high-risk list. This past week, in its biannual High-Risk Series report to Congress, the watchdog agency specifically incorporated safeguarding PII in its list of high-risk areas
For nearly two decades, the GAO considered protecting PII as a component of securing federal systems because good security is required to protect private information, says Gregory Wilshusen, the agency's director of information security issues. But advances in technologies, especially in search engines and connected databases, is changing how organizations collect and store information in profound ways. "If this information should be compromised it would place individuals at risk," he says.
GAO's Gregory Wilshusen discusses inconsistencies in how agencies handle PII exposures.
Between fiscal years 2009 and 2014, incidents involving PII exposures soared by 163 percent to 27,624 from 10,481, according to an analysis by GAO of reports filed by federal agencies to the United States Computer Emergency Readiness Team.
To support its case to designate PII security as being at high risk, GAO cites major breaches this past year at the U.S. Postal Service that compromised the PII of 800,000 former and current employees and at the Office of Personnel Management that exposed the personal information of more than 40,000 federal workers.
Incidents Involving PII
Source: GAO analysis of U.S.-CERT data
"It's getting to harder and harder to say that there is only a low risk of a breach" that exposes PII, says privacy scholar Peter Swire, a Georgia Tech law professor and former OMB chief counselor for privacy. "The events of the past year tell the whole world that breaches can happen to almost anyone, including the federal government."
Wilshusen says federal government agencies are inconsistent on how they determine risks associated with PII exposures. Some agencies conduct privacy assessments after PII is compromised, as required by the White House Office of Management and Budget, while others don't.
OMB requires agencies to report breaches involving exposed PII to U.S.-CERT within an hour of learning of a compromise and conduct assessments to establish harm done to individuals in order to develop plans to reduce the risk of future compromises. But Wilshusen points out that each agency decides for itself when and if to notify individuals whose PII had been exposed. "Two different agencies may treat you and notify you and provide services to you differently even though the same information is being compromised," he says.
Wilshusen and other privacy experts says limited resources may be to blame for the lack of safeguards for PII at federal government agencies.
"The CISOs I know in the federal government are working hard to try and keep up, but too often they are given little to no resources to address information security in general or PII in particular, let alone the new tech and work habits that are evolving despite their warnings of the associated risks," says privacy and security consultant Rebecca Herold. "Government leaders need to wise up when it comes being more proactive in addressing new security risks before they let new tech into their environments."