The Government Accountability Office (GAO) released a report today indicating that data breaches at federal agencies involving personally identifiable information (PII) have been on a steady incline for the past 5 years. The report, Federal Agencies Need to Enhance Responses to Data Breaches, shows that these breaches have more than doubled in the past 5 years:
The federal government collects large amounts of PII from the public, including taxpayer data, Social Security information, and patient health information. Despite designating this information as high-risk, it is unclear if adequate data protections are in place or if all agencies are able to quickly respond to data breaches when they do occur. The ongoing increase in data breaches is raising “concerns about the protection of PII,” according to the GAO report.
The GAO investigated agencies’ responses to PII data breaches, calling them “inconsistent” and in need of improvement. Areas listed for improvement include: assignment of risk level for PII data breaches, having accurate records of affected individuals per incident, notifying affected individuals, offering credit monitoring, and documenting lessons learned from the breach. The GAO believes that unclear guidance from the Office of Management and Budget (OMB) has contributed to agency confusion about how to respond to data breaches.
According to the report, most agencies still struggle in addressing the 8 components of an information security program called for by law, under the Federal Information Security Management Act (FISMA). The GAO says that agencies continue to struggle with documenting security policies and procedures, monitoring security controls, and setting up incident response and reporting programs, among others. There was mixed progress in improving security standards in the past fiscal year,
The GAO made 22 recommendations to the agencies included in its review aimed at improving their data breach response activities.
If you are a Federal, state or local CIO or IT Administrator, you're charged with the responsibility of securing data, networks, devices, users, and the design and implementation of policies to manage everything from the day-to-day to disasters. Absolute Software has been providing state, local and federal governments (and the companies that do business with them) with solutions to manage and secure their IT endpoints (and the data they contain) since 1993. Learn how we can help here.