As PII Data Breaches Burgeon, GAO Finds Agencies Inconsistent in Dealing with Them

Published: January 22, 2014

ARMYCybersecurityHHSDHSOMBPolicy and LegislationVA

The ongoing news of data security breaches at Target stores continues to raise awareness of the value of Personally Identifiable Information (PII) and the critical value in protecting it. Target joins a long list of other private companies and federal agencies who have suffered the theft or loss of PII data. Recently, the Government Accountability Office (GAO) released a study they conducted to determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving PII. They also assessed the role of the Department of Homeland Security (DHS) in collecting information on breaches involving PII and providing assistance to agencies. What GAO found indicates that the threat is often outpacing the response.

In their study, the Government Accountability Office (GAO) selected eight agencies to be included in a review of PII breach issues: the Centers for Medicare & Medicaid Services (CMS), Departments of the Army (Army) and Veterans Affairs (VA), Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board (FRB), Federal Retirement Thrift Investment Board (FRTIB), Internal Revenue Service (IRS), and Securities and Exchange Commission (SEC). Their selection was based on the top three large and top three independent agencies based on the number of systems containing PII they maintained. The other two agencies were selected because one experienced the largest number of data breaches involving PII in fiscal year 2011, and the other because it experienced a significant breach in 2012.

PII Data Breaches on the Rise

According to data that federal agencies reported to the U.S. Computer Emergency Readiness Team (US-CERT) data breaches involving PII have more than doubled over three years. During fiscal year (FY) 2012, the most recent data available, federal agencies reported a record 22,156 of such data breaches, a significant increase over the 15,584 incidents reported in fiscal year 2011 and a 111 percent increase from FY 2009.

Findings

After their review, the GAO came to two main conclusions. First, agencies generally developed policies and procedures for responding to PII-related breaches, but implementation was inconsistent. Both the large and small agencies usually had policies and procedures in place that included major elements of an effective data breach response program. However, implementation of these breach response policies and procedures was inconsistent. Further, incomplete guidance from OMB allowed these inconsistencies.

Second, the role of DHS in collecting PII breach information within 1 hour and providing assistance offers few benefits to agencies. Current federal regulations require agencies to report PII breaches to US-CERT within an hour of discovery, which is usually before complete information on the breach is fully known. So any assistance they can provide based on that information us extremely limited. Since US-CERT role in responding to cyber incidents is primarily in coordinating government-wide responses and providing technical assistance to agencies, GAO determined that the utility of its role in responding to PII incidents is more limited, particularly when system or network issues are not involved (i.e. loss of paper records.) Given this limited role, GAO found that the requirement to report all PII-related incidents within 1 hour provides little value.

Recommendations

The review led GAO to make numerous recommendations for improvement at agencies and government-wide. GAO recommended that OMB guidance should be updated to include guidance on notifying affected individuals based on a determination of the level of risk; criteria for determining whether to offer assistance, such as credit monitoring to affected individuals; and revised reporting requirements for PII-related breaches to US-CERT, including time frames that better reflect the needs of individual agencies and the government as a whole. In addition, GAO made 22 additional recommendations among the specific agencies, most of which can be summarized by the following:

  • Document: Agencies should improve their documentation of procedures for data breach responses, risk assessments and reasons behind risk determinations for PII breaches, and the number of affected individuals associated with each breach, etc.
     
  • Evaluate: Agencies should require an evaluation of their responses and identify lessons learned that could improve policies and practices.

Implications

Policy deliberations and updates tend to take a long time within government. Take cybersecurity legislation and other federal cyber policy as prime examples. Yet, the breathtaking pace of growth of PII breaches shows no sign of slowing. Many cybersecurity chiefs will tell you that the main things that keep them up at night are the attacks and penetrations that go undetected. The US-CERT figures are reported incidents that agencies know about. How many PII breaches have gone undetected?

As increasing amounts of PII go on-line, through efforts like the new federal and state health insurance exchanges, the lure of such a juicy target will only raise the stakes. So far, the news on this front has been mostly about challenges to successfully using the main federal web site and HHS officials have testified before Congress that the site has been thoroughly security tested. Time will tell.

What the GAO report underscores is that cybersecurity policies and procedures are equally as important as technical capabilities and tools. Good but incomplete or inconsistently-applied policies and procedures are of limited or little value and while a 1-hour reporting time on PII incidents might underscore the significance of such breaches, GAO determined that the result was more “static” than “signal.” OMB and federal agencies will need the continued help and expertise from cyber- experts across industry to aid in fortifying their PII protections and advancing their incident response.