The number of federal government data breaches involving personal identifiable information such as Social Security numbers and patient health data has more than doubled since 2009, according to a report released Wednesday by the Government Accountability Office, FCW reports (Cipriano, FCW, 4/3).
For the report, GAO officials examined how federal agencies handle data breaches (Bartz, Reuters, 4/2).
Specifically, GAO reviewed data breaches reported to the U.S. Computer Emergency Readiness Team by several federal agencies, including:
- The Department of Veterans Affairs;
- The U.S. Army;
- The Federal Retirement Thrift Investment Board;
- The Internal Revenue Service; and
- The Securities and Exchange Commission (FCW, 4/3).
The report found that the number of data breach incidents increased from 10,481 in 2009 to 25,566 in 2013 (Reuters, 4/2).
The data breaches involved information such as:
- Census data;
- Patient health information;
- Social Security information; and
- Taxpayer data.
In addition, the report found that:
- The IRS was the only agency to consistently calculate the amount of personal data at risk in each incident;
- Just two agencies -- the IRS and Army -- recorded how many individuals had been affected;
- None of the studied agencies regularly offered credit monitoring to potential victims;
- None of the agencies regularly recorded lessons learned from their data breach responses; and
- Several agencies reported difficultly addressing their information security system's eight required components, specifically security control implementation.
The report states, "The loss or unauthorized disclosure or alteration of the information residing on federal systems, which can include [personally identifiable information], can lead to serious consequences and substantial harm to individuals and the nation."
The report highlights guidelines from the Office of Management and Budget and the National Institute of Standards and Technology that can help federal agencies improve their information security plans. The guidelines include:
- Management practices, such as creating a breach response team and properly training employees; and
- Operational practices, such as documenting suspected data breaches and assessing the potential harm to those involved (FCW, 4/3).