New GAO Report Finds Agencies Failed to Fully Implement Data Breach Policies

(WASHINGTON, D.C.) –Today, Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-Del.), Ranking Member Tom Coburn, M.D. (R-OK) ), along with the committee’s former Chairman and Ranking Member, Senator Susan Collins, highlighted a new report from the Government Accountability Office (GAO) entitled, “Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent,” which found that while federal agencies have data breach notification plans in place, they did not consistently notify potential victims when they discovered high-risk data breaches that jeopardized U.S. individuals’ personal information. GAO calls for the Office of Management and Budget to update its guidance and for agencies to make improvements to their existing data breach response procedures.

“Unfortunately, consumers, government agencies, and businesses of all kinds have proven to be extremely vulnerable to fraud and identity theft,” said Chairman Carper. “As Americans take greater advantage of innovations that encourage us to communicate and do business online, it is imperative that we do not let technology out-pace our ability to protect sensitive information and prevent high-risk data breaches. We also need to ensure that there are effective policies in place in both the public and private sector that are consistently utilized to protect consumers in the unfortunate event of a data breach. While the Government Accountability Office found that federal agencies do have notification plans in place, it is imperative that agencies heed GAO’s warnings and implement these policies in a more robust and consistent fashion. Furthermore, the Office of Management and Budget needs to ensure that it is updating its guidance and conducting adequate oversight of agencies’ implementation. It’s also critical that agencies utilize all of the tools and resources at their disposal to prevent a data breach from happening in the first place, such as the cybersecurity resources at the Department of Homeland Security. I will continue to work my colleagues on both sides of the aisle to prevent these types of incidents from happening in the first place, as well as reintroduce legislation that I have championed for several years, most recently with Senator Roy Blunt (R-MO), that would help put better measures in place to ensure that businesses, federal agencies, and others that hold sensitive information respond swiftly and effectively to protect consumers in the unfortunate event of a breach.”

“Americans have a right to know if their government has exposed them to potential fraud or other criminal activity,” Dr. Coburn said.  “Agencies should take every precaution to safeguard Americans’ private information.  In the unfortunate cases when they fall short, they should be transparent with the American people.  GAO has outlined a number of steps the Office of Management and Budget can take in coordination with agencies across the federal government to improve notification practices, and I look forward to working with Chairman Carper and the administration in making these changes to increase transparency.”  

“Personal information provided to some government agencies, such as the Social Security Administration, the IRS, the Centers for Medicare and Medicaid Services, and the Department of Veterans Affairs, should be protected with extreme care,” Senator Collins said.  “Although federal agencies have taken steps to protect personal information, breaches continue to occur on a regular basis. In 2012, there were a reported 22,156 federal data breaches—an increase of 111 percent from incidents reported in 2009.  Much more needs to be done to implement effective computer security measures.  In addition to helping to prevent these security lapses, OMB needs to improve its guidance addressing these breaches when they do occur and work with agencies to improve their response.”