Federal agencies not always warning about jeopardized personal information

eye-opener-logo6Federal agencies have routinely failed to warn Americans about high-risk data breaches that jeopardize their personal information, according to a report last month from Congress’s nonpartisan watchdog agency.

The Government Accountability Office reviewed eight agencies for the analysis, finding that only two notified affected individuals for all of their high-risk breaches in 2012 in compliance with Office of Management and Budget guidelines, according to the report.

“Americans have a right to know if their government has exposed them to potential fraud or other criminal activity,” Sen. Tom Coburn (Okla.), the top Republican on the Senate Homeland Security and Governmental Affairs Committee, said in a statement on Wednesday. “Agencies should take every precaution to safeguard Americans’ private information.”

Homeland Security logo reflected in the eyeglasses of a cybersecurity analyst at the agency's secretive cyber defense facility in Idaho. (Mark J. Terrill/AP).

Homeland Security logo reflected in the eyeglasses of a cybersecurity analyst at the agency’s secretive cyber defense facility in Idaho. (Mark J. Terrill/AP).

Data breaches involving government-held personal information more than doubled between 2009 and 2012, increasing from about 10,000 to roughly 22,000 during that time, according to the report.

Federal agencies are not always following established procedures for dealing with those breaches, the analysis found.

For example, federal guidelines require agencies to report all breaches to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) within one hour of discovery. But officials feel that the rule provides few benefits because it takes days or months to compile adequate information on the incidents, according to the GAO.

“US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful,” the report said.

The GAO concluded that the reporting requirements “could be diverting attention and limited resources from other breach-response activities,” suggesting that the policies may need tweaking.

On Wednesday, Coburn and Sen. Susan Collins (R-Maine) issued a statement calling on agencies to adhere more strictly to federal guidelines and for OMB to update its policies and provide greater oversight of data-breach procedures.

“Much more needs to be done to implement effective computer security measures,” Collins said. “In addition to helping to prevent these security lapses, OMB needs to improve its guidance addressing these breaches when they do occur and work with agencies to improve their response.”

The agencies reviewed for the report were the Department of the Army, the Internal Revenue Service, the Department of Veterans Affairs, the Centers for Medicare and Medicaid Services, the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the Federal Reserve Board and the Federal Retirement Thrift Investment Board.

The GAO issued 23 recommendations based on its findings, calling on OMB to update its guidance for responding to data breaches and suggesting that the other agencies improve their methods for following existing policies.

Four of the agencies agreed to all of the recommendations, three expressed no position and one partially concurred but quibbled with the GAO over specifics.

Follow Josh Hicks on TwitterFacebook or Google+. Connect by e-mail at  josh.hicks@washpost.comVisit The Federal Eye, The Fed Page and Post Politics for more federal news. E-mail federalworker@washpost.com with news tips and other suggestions.

Also on Federal Eye

Easier path to federal employment for military spouses?