Government Report on Privacy Breaches in Agencies

Last Friday (10/13) the U.S. Government Reform Committee released a report on the adequacy of the government’s agency security practices, “STAFF REPORT AGENCY DATA BREACHES SINCE JANUARY 1, 2003.”

The report discusses incidents within all the government agencies involving the loss or compromise of any sensitive personal information held by an agency or a contractor since January 1, 2003.

An important point made by the report is that, even though the agencies possess tremendous volumes of personal data, there is no requirement for any of the agencies to report breaches to the public, or even to the impacted individuals.  It seems that they should also have to abide by the existing state level breach notification laws, doesn’t it?

“Legislation authored by Committee Chairman Tom Davis and included in the House passed Veterans Identity and Credit Security Act of 2006 (Veterans Identity and Credit Security Act of 2006) would change that.”

Actually it appears as though this proposed bill would only apply to the Veterans Affairs agency.  A privacy breach notification, and actually a more encompassing data protection, bill is needed that applies to all organizations, government, public, private, non-profit, and any others that handle personally identifiable information (PII).

The report makes clear that the amount and types of responses from the agencies regarding their incidents varied greatly, so that this report cannot be considered as comprehensive.  However, there are certainly some very interesting statistics and breach examples found within it.  The four conclusions of the report were:

“1. Data loss is a government-wide occurrence.
All 19 Departments and agencies reported at least one loss of personally identifiable information since January 2003. This is not a problem that is restricted to the Department of Veterans Affairs or any other single agency.

2. Agencies do not always know what has been lost.
The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.”

3. Physical security of data is essential.
Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.

4. Contractors are responsible for many of the reported breaches.
Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors.”

The report then goes on to detail the reported privacy breaches within each of the agencies.  It is quite interesting!  Many incidents that have not previously been reported.

The report concludes:

“Taken as a whole, the agency reports outline hundreds of instances of data breaches involving sensitive personal information since January 1, 2003. The reports show a wide range of incidents, involving employee carelessness, contractor misconduct, and third-party thefts. The number of individuals affected in each incident ranges from one to millions. However, in many cases, the agency does not know what information was lost or how many individuals potentially could be affected. Few of these incidents have been reported publicly, and it is unclear in many cases whether affected individuals have been notified or whether remedial action has been taken.

Data held by Federal agencies remains at risk.  In many cases, agencies do not know what information they have, who has access to the information, and what devices containing information have been lost, stolen, or misplaced. In addition, in almost all of the reported cases, Congress and the public would not have learned of each event unless the Committee had requested this information.

Finally, each year, the Committee releases information security scorecards. This year the scores for many departments remained low or dropped precipitously. The federal government overall received a D+.”

Technorati Tags

Leave a Reply