On April 2, 2014, the United States Government Accountability Office (GAO) delivered a report on the challenges many US federal agencies face in combating information security problems. According to the GAO, the number of reported information security incidents involving personally identifiable information (PII) has more than doubled over the last several years. This is a dramatic increase that’s unfortunately consistent with private sector organizations.
In December 2013, the GAO reported on agencies’ responses to PII data breaches and found they were inconsistent and needed improvement. Federal agencies are not fully implementing agency-wide programs needed to secure systems that contain sensitive information. Although some agencies had developed breach-response policies and procedures, their implementation of key practices called for by Office of Management and Budget (OMB) and National Institute of Standards and Technology guidance was inconsistent.
The federal government collects large quantities of PII, including taxpayer data, census data, Social Security information, and patient health information. Even though no US federal data breach law exists, federal agencies are still bound by the Federal Information Security Management Act of 2002 (FISMA) to implement an information security program to protect this sensitive data.
The GAO report revealed that security incidents increased dramatically from about 30,000 in 2009 to just over 61,000 in 2013. Incidents involving PII went from just over 10,000 to more than 25,000 in the same time. When I read this report, I assumed that most of the incidents were caused by hackers. On the contrary. A large percentage had nothing to do with hackers, but with internal mistakes or lack of proper oversight.
- – 25 percent were non cyber
- – 19 percent were from a policy violation
- – 16 percent were the result of malicious code or malware
- – 16 percent were related to equipment
While cybercrime makes the headlines, the reality is that many of these data breaches are preventable by defining and implementing security policies, proper training and ensuring that everyone understands the importance of keeping sensitive information confidential.
One example cited in the report was a laptop computer containing sensitive PII stolen from a National Aeronautics and Space Administration (NASA) employee at the Kennedy Space Center. 2,300 employees’ names, Social Security numbers, dates of birth, and other personal information were exposed. This wasn’t a hacker, but old fashioned theft.
The report made the following recommendations to OMB to revise its guidance on how federal agencies handle PII related data breaches.
- – Guidance on notifying affected individuals based on a determination of the level of risk
- – Criteria for determining whether to offer assistance, such as credit monitoring, to affected individuals
- – Revised requirements for reporting PII-related breaches to US-CERT
Some of the recommendations made to the agencies included in its review aimed at improving their data breach response activities. Some of this seems fairly obvious, but many still many of the agencies aren’t in compliance.
- – Consistently document risk levels and how they are determined for PII-related data breach incidents
- – Document the number of affected individuals for each incident
- – Identify lessons learned from responses to PII breaches
While these recommendations apply to the US federal government, private and other public organizations can learn from them. Assessing risk in your organization should be nothing new when it comes to your physical infrastructure, but many are still lacking in policies and procedures related to data breaches. Just as you should have a escape route in case of fire in your office, you should have a data breach policy and plan in place in case you have a breach.
Photo credit Timothy Krause