A report issued by the Government Accountability Office (GAO) indicates that the number of information security incidents involving the exposure of personally identifiable information (PII) has more than doubled over the last three years.
“As GAO has previously reported, major federal agencies continue to face challenges in fully implementing all components of an agency-wide information security program, which is essential for securing agency systems and the information they contain—including PII,” the agency said.
“Specifically, agencies have had mixed results in addressing the eight components of an information security program called for by law, and most agencies had weaknesses in implementing specific security controls. GAO and inspectors general have continued to make recommendations to strengthen agency policies and practices.”
Other key findings in the GAO report include:
- Only one of seven agencies reviewed had documented both an assigned risk level and how that level was determined for PII data breaches; two agencies documented the number of affected individuals for each incident; and two agencies notified affected individuals for all high-risk breaches
- The seven agencies did not consistently offer credit monitoring to affected individuals
- None of the seven agencies consistently documented lessons learned from their breach responses
“In December 2013, GAO reported on agencies’ responses to PII data breaches and found that they were inconsistent and needed improvement,” the agency stated.
“Although selected agencies had generally developed breach-response policies and procedures, their implementation of key practices called for by Office of Management and Budget (OMB) and National Institute of Standards and Technology guidance was inconsistent.”
Read More Here (PDF)…