Privacy
Lessons Learned about Data Breach Notification Gao ID: GAO-07-657 April 30, 2007A May 2006 data breach at the Department of Veterans Affairs (VA) and other similar incidents since then have heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding effectively to a breach that poses privacy risks. GAO's objective was to identify lessons learned from the VA data breach and other similar federal data breaches regarding effectively notifying government officials and affected individuals about data breaches. To address this objective, GAO analyzed documentation and interviewed officials at VA and five other agencies regarding their responses to data breaches and their progress in implementing standardized data breach notification procedures. The cases at the other agencies were chosen because, like the VA case, they involved loss or theft of computing equipment and relatively large numbers of affected individuals (10,000 or more).
Based on the experience of VA and other federal agencies in responding to data breaches, GAO identified the following lessons learned regarding how and when to notify government officials, affected individuals, and the public: (1) rapid internal notification of key government officials is critical; (2) because incidents vary, a core group of senior officials should be designated to make decisions regarding an agency's response; (3) mechanisms must be in place to obtain contact information for affected individuals; (4) determining when to offer credit monitoring to affected individuals requires risk-based management decisions; (5) interaction with the public requires careful coordination and can be resource-intensive; (6) internal training and awareness are critical to timely breach response, including notification; and (7) contractor responsibilities for data breaches should be clearly defined. These lessons have largely been addressed in guidance issued in 2006 from the Office of Management and Budget (OMB), which is responsible for overseeing security and privacy within the federal government. However, guidance to assist agency officials in making consistent risk-based determinations about when to offer credit monitoring or other protection services has not been developed. Without such guidance, agencies are likely to continue to make inconsistent decisions about what protections to offer affected individuals, potentially leaving some people more vulnerable than others.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-07-657, Privacy: Lessons Learned about Data Breach Notification
This is the accessible text file for GAO report number GAO-07-657
entitled 'Privacy: Lessons Learned about Data Breach Notification'
which was released on April 30, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
April 2007:
Privacy:
Lessons Learned about Data Breach Notification:
GAO-07-657:
GAO Highlights:
Highlights of GAO-07-657, a report to congressional requesters
Why GAO Did This Study:
A May 2006 data breach at the Department of Veterans Affairs (VA) and
other similar incidents since then have heightened awareness of the
importance of protecting computer equipment containing personally
identifiable information and responding effectively to a breach that
poses privacy risks. GAO‘s objective was to identify lessons learned
from the VA data breach and other similar federal data breaches
regarding effectively notifying government officials and affected
individuals about data breaches. To address this objective, GAO
analyzed documentation and interviewed officials at VA and five other
agencies regarding their responses to data breaches and their progress
in implementing standardized data breach notification procedures. The
cases at the other agencies were chosen because, like the VA case, they
involved loss or theft of computing equipment and relatively large
numbers of affected individuals (10,000 or more).
What GAO Found:
Based on the experience of VA and other federal agencies in responding
to data breaches, GAO identified the following lessons learned
regarding how and when to notify government officials, affected
individuals, and the public:
* Rapid internal notification of key government officials is critical.
* Because incidents vary, a core group of senior officials should be
designated to make decisions regarding an agency‘s response.
* Mechanisms must be in place to obtain contact information for
affected individuals.
* Determining when to offer credit monitoring to affected individuals
requires risk-based management decisions.
* Interaction with the public requires careful coordination and can be
resource-intensive.
* Internal training and awareness are critical to timely breach
response, including notification.
* Contractor responsibilities for data breaches should be clearly
defined.
These lessons have largely been addressed in guidance issued in 2006
from the Office of Management and Budget (OMB), which is responsible
for overseeing security and privacy within the federal government.
However, guidance to assist agency officials in making consistent risk-
based determinations about when to offer credit monitoring or other
protection services has not been developed. Without such guidance,
agencies are likely to continue to make inconsistent decisions about
what protections to offer affected individuals, potentially leaving
some people more vulnerable than others.
What GAO Recommends:
To better ensure that individuals who are at risk of identity theft are
offered consistent levels of support, GAO is recommending that the
Director of OMB develop guidance for agencies on when to offer credit
monitoring and when to contract for an alternative form of monitoring,
such as data breach monitoring, to assist individuals at risk of
identity theft. In written comments on a draft of this report, OMB and
VA concurred with GAO‘s recommendation.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-657].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Linda D. Koontz at (202)
512-6240 or koontzl@gao.gov.
[End of section]
Contents:
Letter:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Briefing to Staff of Congressional Requesters:
Appendix II: Comments from the Office of Management and Budget:
Appendix III: Comments from the Department of Veterans Affairs:
Appendix IV: GAO Contact and Staff Acknowledgments:
Abbreviations:
HHS: Department of Health and Human Services:
OMB: Office of Management and Budget:
PII: personally identifiable information:
VA: Department of Veterans Affairs:
April 30, 2007:
Congressional Requesters:
In May 2006, the Department of Veterans Affairs (VA) announced that
computer equipment containing personally identifiable information
(PII)[Footnote 1] on approximately 26.5 million veterans and active
duty members of the military was stolen from the home of a VA employee.
Until the equipment was recovered, veterans did not know whether their
information was likely to be misused. In addition to concerns about
protecting personal information, the incident highlighted unclear
policy about security breach notification procedures. The VA data
breach coupled with recent reports of other federal data breach
incidents have heightened awareness of the need for agencies to be
prepared to effectively respond to a breach that poses privacy risks.
While existing laws generally do not require agencies to notify
affected individuals of data breaches, such notification appears to be
consistent with agencies' responsibilities under the Privacy Act of
1974 and promotes accountability for privacy protection.[Footnote 2]
When data breaches occur, notification has clear benefits such as
allowing the affected individuals the opportunity to take steps to
protect themselves from identity theft or other misuse of their
personal information.
However, as we noted in June 2006, public notification of data breaches
presents challenges as well as benefits.[Footnote 3] Determining the
specific criteria for incidents that merit notification involves these
important considerations:
* Notification of a breach when there is little or no risk of harm
might create unnecessary concern and confusion.
* Sending too many notices, based on overly strict criteria, could
render all such notices less effective, because consumers could become
desensitized to them and fail to act when risks are truly significant.
* The costs associated with notification are not insignificant for
either agencies or individuals.
As agreed with the requesters' staff, our objective was to identify
lessons learned from the VA data breach and other similar federal data
breaches regarding effectively notifying government officials and
affected individuals about data breaches.
To address our objective, we analyzed documentation capturing lessons
learned from VA's data breach, including reports on actions taken and
planned to address the data breach and to protect personal information.
We interviewed VA officials regarding how they decided to address data
breach notification and their plans and progress in implementing
standardized data breach notification procedures. We also analyzed
current federal guidance on data breach notification procedures and
interviewed cognizant officials about the guidance. In addition, we
examined similar data breach cases at five other agencies--the
Departments of Agriculture, Defense, Education, Health and Human
Services (HHS), and Transportation--to determine their notification
practices and lessons learned regarding how and when to notify affected
individuals or the public. These cases were chosen because, like the VA
case, they involved relatively large numbers of affected individuals
(10,000 or more) and also involved circumstances similar to VA's--the
loss or theft of computing equipment containing PII. The cases at
Agriculture, Education, and HHS involved data breaches of information
held by contractors. We conducted our review in accordance with
generally accepted government auditing standards from August 2006
through February 2007.
On March 9, 2007, we provided staff of requesters with a briefing on
the results of our study. The slides from that briefing, with minor
technical clarifications, are included as appendix I of this report.
The purpose of this report is to provide the published briefing slides
to you and to officially transmit our recommendation to the Office of
Management and Budget (OMB).
In summary, based on the experience of VA and other federal agencies in
responding to data breaches, we identified the following lessons
learned regarding how and when to notify government officials, affected
individuals, and the public:
* Rapid internal notification of key government officials is critical.
Internal delays prevented key VA officials, including the Secretary,
from being aware of the data breach until as long as two weeks after it
occurred. Because of these delays, the department's decision about how
to respond was also delayed. As a result, affected individuals were
denied the opportunity to take prompt steps to protect themselves
against the dangers of identity theft. Prompt internal notification
would help ensure that future data breaches are addressed promptly,
maximizing the opportunity for affected individuals to effectively take
precautions.
* Because incidents vary, a core group of senior officials should be
designated to make decisions regarding an agency's response. In the VA
incident, a variety of key decisions needed to be made including, what
information had been compromised and what risks the theft posed, and
how affected individuals should be notified. Cognizant officials at VA
were initially unsure about who should be involved in decision making
about the incident. Establishment of core management groups within
agencies that can be convened in the event of a breach to evaluate the
situation and guide the agency's response should help ensure that
future data breaches are addressed consistently.
* Mechanisms must be in place to obtain contact information for
affected individuals. VA and other agencies faced challenges in
identifying addresses for all individuals affected by their data
breaches. If proper public notices as required by the Privacy Act are
made in advance, key agencies will more likely be in a better position
to assist in responding to data breaches by providing address or other
contact information to affected agencies.
* Determining when to offer credit monitoring to affected individuals
requires risk-based management decisions. Agencies have made varying
decisions about how and when to offer credit monitoring. As a result,
affected individuals may not always receive a consistent level of
support from the federal government when their personal information is
compromised. Until guidance is available to promote consistent decision
making by federal agencies, protections offered to affected individuals
are likely to remain inconsistent.
* Interaction with the public requires careful coordination and can be
resource-intensive. VA invested substantially in facilities to help
address follow-on inquiries and provide information to support affected
individuals after notifications were issued to affected individuals.
Other agencies have also taken a variety of actions to establish call
centers to interact with the public.
* Internal training and awareness are critical to timely breach
response, including notification. The slow response to the May 2006 VA
incident highlighted the need for personnel to be more aware of the
agency's privacy and security procedures, including incident response
and reporting procedures. Because a prompt response is critical, agency
personnel must be prepared in advance with an understanding of their
roles and responsibilities in responding to a data breach.
* Contractor responsibilities for data breaches should be clearly
defined. While the VA data breach did not involve contractors, the
issue of contractor responsibilities has figured prominently in three
other recent incidents (at Agriculture, Education, and HHS). Contractor
obligations for taking steps, such as notifying affected individuals or
providing credit monitoring, may be unclear unless specified in the
contract.
These lessons have largely been addressed in guidance from OMB, which
is responsible for overseeing security and privacy within the federal
government. However, guidance to assist agency officials in making
consistent risk-based determinations about when to offer credit
monitoring or other protection services has not been developed. Without
such guidance, agencies could make inconsistent decisions about what
protections to offer affected individuals, potentially leaving some
more vulnerable than others.
Conclusions:
VA's data breach of May 2006 and other recent federal data breaches
provide valuable lessons learned for agencies about responding to such
incidents. Key government officials need to be informed promptly, and a
designated group of agency officials must be ready to make prompt
decisions about notification, which can be challenging if address
information is not readily available. Careful planning is needed to be
able to interact effectively with the public, training and awareness
are critical, and contractor roles and responsibilities must be
defined.
To its credit, OMB responded to the VA data breach by issuing guidance
and forwarding recommendations by the ID Theft Task Force that largely
address these lessons. However, the issue of how to make risk-based
determinations on when to offer credit monitoring and when to contract
for an alternative form of monitoring, such as data breach monitoring,
has not been addressed in guidance. Without such guidance, agencies are
likely to continue to make inconsistent decisions about what
protections to offer affected individuals.
Recommendation for Executive Action:
We recommend that the Director of OMB develop guidance for federal
agencies on conducting risk analyses to determine when to offer credit
monitoring and when to contract for an alternative form of monitoring,
such as data breach monitoring, to assist individuals at risk of
identity theft as a result of a federal data breach.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from OMB
Administrator of the Office of E-Government and Information Technology
and from the Secretary of Veterans Affairs. (These written comments are
reproduced in apps. II and III.) OMB agreed with our recommendation and
noted that while it is important that individuals receive consistent
responses and levels of support from federal agencies, the same
response or type of support will not be appropriate in every situation.
We agree that appropriate responses must be tailored to address the
circumstances of the breach and believe additional guidance from OMB
can facilitate consistent agency decision making about such responses.
In addition, OMB commented that our definition of PII is similar to one
it has used and noted that its definition of PII is likely to be
revised in the future. However, we believe the definition we have used
is appropriate for the material discussed in this report.
In written comments on the draft of this report, the Secretary of VA
agreed with our findings and our recommendation to OMB. The Secretary
also stated that VA is finalizing its new data breach regulation that
implements the Veterans Benefits, Health Care, and Information
Technology Act of 2006, Public Law 109-461.[Footnote 4] This act
requires VA to issue interim regulations for the provision of certain
services, including notification, in the event that a data breach of
veterans' sensitive personal information results in a determination
that a reasonable risk exists for the potential misuse of the
information.
We are sending copies of this report to interested congressional
committees; the Secretary of Veterans Affairs; the Director, OMB; and
other interested parties. We will also make copies available to others
upon request. In addition, the report will be available at no charge on
the GAO Web site at [Hyperlink, http://www.gao.gov].
Should you have any questions on matters contained in this report,
please contact me at (202) 512-6240 or by e-mail at koontzl@gao.gov.
GAO staff who made major contributions to this report are included in
appendix IV.
Signed by:
Linda D. Koontz"
Director, Information Management Issues:
List of Requesters:
The Honorable Harry Reid:
Majority Leader:
United States Senate:
The Honorable Daniel K. Akaka:
Chairman:
Committee on Veterans' Affairs:
United States Senate:
The Honorable Joseph I. Lieberman:
Chairman:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Bob Filner:
Chairman:
Committee on Veterans' Affairs:
House of Representatives:
The Honorable Hillary Rodham Clinton:
United States Senate:
The Honorable Byron L. Dorgan:
United States Senate:
The Honorable Patty Murray:
United States Senate:
The Honorable Barack Obama:
United States Senate:
The Honorable John D. Rockefeller, IV:
United States Senate:
The Honorable Ken Salazar:
United States Senate:
The Honorable Charles E. Schumer:
United States Senate:
[End of section]
Appendix I: Briefing to Staff of Congressional Requesters:
Privacy: Lessons Learned about Data Breach Notification:
Briefing to staff of Congressional Requesters:
March 09, 2007:
Contents:
Introduction:
Objective, Scope, and Methodology:
Results in Brief:
Background:
Data Breach Notification Lessons Learned:
Conclusions:
Recommendation:
Agency Comments:
Attachment I: Summary of data breach incidents at five agencies:
Introduction:
In May 2006, the Department of Veterans Affairs (VA) announced that
computer equipment containing personally identifiable information
(PII)[Footnote 5] on approximately 26.5 million veterans and active
duty members of the military was stolen from the home of a VA employee.
In June, VA sent notices to the affected individuals that explained the
breach and offered advice on steps to take to reduce the risk of
identity theft.
The equipment was eventually recovered, and forensic analysts concluded
that it was unlikely that the personal information contained therein
was compromised.[Footnote 6]
Until the equipment was recovered, veterans did not know whether their
information was likely to be misused.
In addition to concerns about protecting personal information, the
incident highlighted unclear policy about security breach notification
procedures.
The Senate Majority Leader, the Chairman, Senate Committee on Veterans
Affairs, and other Congressional requesters asked us to review lessons
learned from the VA data breach about how to effectively notify
government officials and the public about security breaches.
Objective, Scope, and Methodology:
As agreed with the requesters' staff, our objective was to identify
lessons learned from the VA data breach and other similar federal data
breaches regarding effectively notifying government officials and
affected individuals about data breaches.
To address our objective, we:
Analyzed documentation capturing lessons learned from VA's data breach,
including reports on actions taken and planned to address the data
breach and to protect personal information.
Interviewed VA officials regarding how they decided to address data
breach notification and their plans and progress in implementing
standardized data breach notification procedures.
Analyzed current federal guidance on data breach notification
procedures and interviewed cognizant officials about the guidance.
Examined similar data breach cases at five other agencies the
Departments of Agriculture, Defense, Education, Health and Human
Services (HHS), and Transportation to determine their notification
practices and lessons learned regarding how and when to notify affected
individuals or the public. The cases were chosen because, like the VA
case, they involved relatively large numbers of affected individuals
(10,000 or more) and also involved circumstances similar to VA's the
loss or theft of computing equipment containing PII. The cases at
Agriculture, Education, and HHS involved data breaches of information
held by contractors.
We conducted our review in accordance with generally accepted
government auditing standards from August 2006 through February 2007.
Results In Brief:
Based on the experience of VA and other federal agencies in responding
to data breaches, we identified the following lessons learned regarding
how and when to notify government officials, affected individuals, and
the public:
Rapid internal notification of key government officials is critical.
Because incidents vary, a core group of senior officials should be
designated to make decisions regarding an agency's response.
Mechanisms must be in place to obtain contact information for affected
individuals.
Determining when to offer credit monitoring to affected individuals
requires risk-based management decisions.
Interaction with the public requires careful coordination and can be
resource-intensive.
Internal training and awareness are critical to timely breach response,
including notification.
Contractor responsibilities for data breaches should be clearly
defined.
These lessons have largely been addressed in guidance from the Office
of Management and Budget (OMB), which is responsible for overseeing
security and privacy within the federal government. However, guidance
to assist agency officials in making consistent risk-based
determinations about when to offer credit monitoring or other
protection services has not been developed. Without such guidance,
agencies are likely to continue to make inconsistent decisions about
what protections to offer affected individuals, potentially leaving
some more vulnerable than others.
To better ensure that individuals who are at risk of identity theft are
offered consistent levels of support, we are recommending that the
Director, OMB, develop guidance for agencies on when to offer credit
monitoring and when to contract for an alternative form of monitoring,
such as data breach monitoring, to assist individuals at risk of
identity theft as a result of a federal data breach.
An OMB Policy Analyst in the Information Policy and Technology Branch
provided an e-mail message stating that OMB concurred with our
recommendation.
In oral comments on a draft of this briefing, VA officials, including
the VA/GAO Liaison, Office of Congressional and Legislative Affairs,
agreed with our results. VA also provided technical comments, which
have been incorporated as appropriate.
Background:
The VA data breach coupled with recent reports of other federal data
breach incidents have heightened awareness of the need for agencies to
be prepared to effectively respond to a breach that poses privacy
risks.
While existing laws generally do not require agencies to notify
affected individuals of data breaches, such notification appears to be
consistent with agencies' responsibilities under the Privacy Act of
1974 and promotes accountability for privacy protection.[Footnote 7]
When data breaches occur, notification has clear benefits such as
allowing the affected individuals the opportunity to take steps to
protect themselves from identify theft or other misuse of their
personal information.
As we noted in June 2006, public notification of data breaches presents
challenges as well as benefits.[Footnote 8]
Determining the specific criteria for incidents that merit notification
involves these important considerations:
Notification of a breach when there is little or no risk of harm might
create unnecessary concern and confusion.
Sending too many notices, based on overly strict criteria, could render
all such notices less effective, because consumers could become
desensitized to them and fail to act when risks are truly significant.
The costs associated with notification are not insignificant for either
agencies or individuals.
While care needs to be taken to avoid requiring organizations to notify
the public of trivial incidents, setting criteria that are too open-
ended or that rely too heavily on the discretion of the affected
organization could lead to inadequate notification.
To mitigate such a risk, we suggested that a two-tiered approach could
be adopted, by which agencies are required to notify an entity such as
OMB of all data breach incidents while notifying affected individuals
only of incidents where there is a risk of identity theft.
Guidance subsequently issued by OMB conforms to this approach; it
requires agencies to report all incidents involving PII to the
Department of Homeland Security's Computer Emergency Readiness Team (US-
CERT) within one hour of discovering the incident and recommending that
senior agency officials make risk-based determinations of whether to
inform the affected individuals.
In addition, OMB responded to the VA data breach incident by issuing
several other guidance documents in late May and June 2006 to all
federal agencies. These documents directed agencies to:
review their practices to ensure they had adequate safeguards to
prevent misuse of or unauthorized access to PII; and:
use security measures, such as data encryption for mobile computers and
devices, to protect data removed from an agency location.
In a separate action, the Identity Theft Task Force was chartered by
the President in early May 2006 to strengthen efforts to protect
against identity theft. The task force is composed of senior officials
from major federal agencies.
In September 2006, OMB issued interim guidance on data breach
notification based on recommendations made by the task force. It
included these recommended practices:
Each agency should establish a core management group to respond to the
loss of personal information. In the event of a loss, that group should
convene to conduct a risk analysis to determine whether the incident
might pose problems related to identity theft. If such a risk exists,
the agency should tailor its response to the nature and scope of the
risk.
The core management group is to include the chief information officer,
chief privacy officer, chief legal officer, a senior management
official, and the agency's inspector general.
According to the interim guidance, in tailoring its response, the group
should consider:
* procuring commercial services to monitor whether a breach results in
identity theft an option that may be useful for incidents involving
data gathered on large numbers of individuals,
* offering credit monitoring services to affected individuals -a
potentially expensive option and:
* coordinating the agency's response with law enforcement through the
agency's inspector general.
Should agencies decide to notify affected individuals, they are
encouraged by the interim guidance to incorporate the following
elements into the notification process:
* Provide the notice in a timely manner, but not based on incomplete
facts or in a manner likely to make identity theft more likely to
occur.
* Have a responsible official of the agency be the official source of
the notice.
* Deliver notices primarily through first class mail to the last known
mailing addresses of the affected individuals.
* Prepare for follow-on inquiries from affected individuals with Web
site postings by establishing call centers and by alerting other
entities, such as credit-reporting agencies.
Further, agencies are encouraged to include the following content in
their notification letters:
* a brief description of what happened;
* to the extent possible, a description of the types of personal
information that were involved in the data security breach (e.g., full
name, Social Security number, date of birth, etc.);
* a brief description of agency actions to investigate the breach, to
mitigate losses, and to protect against any further breaches;
* contact procedures for those wishing to ask questions or learn
additional information, including a toll-free telephone number, Web
site, and/or postal address; and:
* steps individuals should take to protect themselves from the risk of
identity theft, including steps to take advantage of any credit
monitoring or other service the agency intends to offer and contact
information for the Federal Trade Commission Web site.
In December 2006, the Veterans Benefits, Health Care, and Information
Technology Act of 2006 (Public Law 109-461) became law. Among other
things, the law specifies circumstances under which VA is required to
provide credit protection services. Specifically, the law provides
that:
In the event of a data breach, an independent assessment is to be
conducted by the Inspector General or another independent entity to
determine the risk that the breached information may be misused;
VA is to provide credit protection services, if the Secretary
determines that a reasonable risk of misuse exists, based on the
independent assessment;
VA is to develop regulations regarding notification, data mining, fraud
alerts, data breach analysis, credit monitoring, identity theft
insurance, and credit protection services;
VA is to provide reports to Congress on data breaches, including the
required independent assessments, the Secretary's determinations based
on the assessments, and the services offered in response.
Like VA, many other federal agencies have experienced security
breaches. According to the House Government Reform Committee, since
January 2003 all 19 departments and numerous federal agencies have
reported at least one loss of PII that could expose individuals to
identify theft.[Footnote 9]
Compromised information included individual Social Security numbers,
names, addresses, dates of birth, medical information, fingerprint
cards, taxpayer records, and financial information.
Agencies have taken a variety of actions to notify government officials
as well as the affected individuals and the public.
Attachment 1 provides case examples of recent data breaches and the
responses to them at the five federal agencies we reviewed.
Data Breach Notification Lessons Learned:
Based on the experience of VA and other federal agencies in responding
to data breaches, the following are lessons learned regarding how and
when to notify government officials, affected individuals, and the
public:
Rapid internal notification of key government officials is critical.
Because incidents vary, a committee of key officials should make
decisions regarding an agency's response.
Mechanisms must be in place to obtain contact information for affected
individuals.
Determining whether to offer credit monitoring to affected individuals
requires risk-based management decisions.
Interaction with the public requires careful coordination and can be
resource-intensive.
Internal training and awareness are critical.
Contractor responsibilities for data breaches should be clearly
defined.
Data Breach Notification Lessons Learned: Rapid internal notification:
Rapid internal notification of key government officials is critical.
Internal delays prevented key VA officials, including the Secretary,
from being aware of the data breach until as long as two weeks after it
occurred.
The VA employee whose computer equipment was stolen on May 3, 2006,
notified VA's Deputy Assistant Secretary for Policy about the incident
on the same day.
Two days later (May 5), the Acting Assistant Secretary for Policy and
Planning was notified.
In turn, the Acting Assistant Secretary informed the VA's Chief of
Staff on May 9.
Finally, the Chief of Staff informed the Secretary on May 16 almost two
weeks after the theft.
On May 22, almost three weeks after the incident, VA publicly announced
the data theft. Contractors did not begin mailing initial notification
letters to affected individuals on VA's behalf until June 9 more than 1
month after the incident.
Because of these delays, the department's decisions about how to
respond were also delayed, and, as a result, affected individuals were
denied the opportunity to take prompt steps to protect themselves
against the dangers of identify theft.
In addition, the public's trust and confidence in VA may have been
diminished because of the slow response.
VA has taken steps to develop a uniform response policy and standard
operating procedures to improve its data breach response capabilities.
As part of these procedures, VA has established key organizational
responsibilities for various aspects of breach response such as roles
for information security officers, the chief privacy officer, and the
chief information officer and is in the process of identifying criteria
to conduct timely and uniform risk assessments and determine
appropriate levels of VA response.
On July 12, 2006, OMB issued guidance[Footnote 10] requiring agencies
to report "all incidents involving personally identifiable information
in electronic or physical form" to US-CERT within one hour of becoming
aware of the occurrence. The OMB guidance requires all incidents
whether suspected or confirmed to be reported.
Other agencies have taken steps to improve the timeliness of their
responses and have implemented the OMB guidance. For example:
In October 2006, the Department of Transportation issued updated
procedures for implementing protection of sensitive PII. It calls for
all incidents involving a possible or confirmed compromise of such
information to be reported to the appropriate unit's chief information
officer and computer incident response team within one hour of
discovery.
In November 2006, the Department of Health and Human Services (HHS)
issued procedures requiring the chief information security officer to
report PII breaches within one hour of detection to the department's
PII Breach Response Team and US-CERT.
If followed, these procedures should help ensure that future data
breaches are addressed promptly, maximizing the opportunity for
affected individuals to effectively take precautions.
Data Breach Notification Lessons Learned: Core decision-making group:
Because incidents vary, a core group of senior officials should be
designated to make decisions regarding an agency's response.
In the VA incident, a variety of key decisions needed to be made
including:
how to work with law enforcement to recover the stolen equipment,
what information had been compromised and what risks the theft posed,
how affected individuals should be notified, and:
what services should be provided to assist affected individuals.
Cognizant officials at VA were initially unsure about who should be
involved in decision making about the incident.
Since the VA incident, the Identity Theft Task Force and OMB have
recommended that agencies identify a core response group that can be
convened in the event of a breach to evaluate the situation and help
guide further response. Among other things, the core group should:
consist of the chief information officer, chief privacy officer, chief
legal officer, a senior management official, and the agency's inspector
general; and:
ensure that the agency has brought together employees who have
expertise in the basic competencies needed to respond, including
information technology and legal considerations (e.g., the Privacy
Act).
Since the data breach, VA has established an Incident Resolution Core
Team consisting of key management officials including the chief
information officer, chief technology officer, privacy officer, and
other senior officials from VA's offices of Information Technology,
General Counsel, Cyber and Information Security, Congressional
Relations, Public Affairs, and Human Resources.
Officials from each of the five agencies said that they had or were in
the process of establishing core management groups to respond to the
loss of personal information. For example, HHS has established a PII
Breach Response Team consisting of senior officials with expertise in
information technology, legal requirements, privacy, law enforcement,
and information security. This group is chartered to analyze incidents,
evaluate the risk of identify theft, and provide guidance for further
response.
Within individual agencies, establishment of a core management group
should help ensure that future data breaches are addressed
consistently.
Data Breach Notification Lessons Learned: Obtaining contact
information:
Mechanisms must be in place to obtain contact information for affected
individuals.
VA mailed two notifications to individuals affected by the May 2006
breach: an initial notice in June and a follow-up notice in August
after the stolen equipment had been recovered.
The VA did not have contact information on hand for all affected
individuals. To obtain addresses for mailing the first notification
letter, VA sought assistance from the Social Security Administration
(SSA) and the Internal Revenue Service (IRS). SSA agreed to verify the
names and Social Security numbers of the approximately 26.5 million
affected individuals against data contained in its systems and delete
the names and Social Security numbers of individuals that did not match
SSA's records or were identified as deceased. SSA then forwarded the
verified names and Social Security numbers to the IRS. IRS agreed to
forward the first round of letters on VA's behalf to individuals
verified by SSA.
According to VA officials, IRS made specific legal determinations
before participating in the notification process. Disclosure of
personal information associated with tax returns is protected by
Internal Revenue Code provisions as well as the Privacy Act of 1974.
Regarding the first letter, VA officials reported that IRS had
determined that the potential compromise of personal information from
the VA breach could result in an impact on tax administration and thus
it was appropriate to disclose address information for the purpose of
notifying affected individuals.
After the first notice was issued, the stolen equipment was recovered
and, based on forensic analysis, the Federal Bureau of Investigation
made a determination that the data had not been compromised. As a
result, VA decided to issue a second notice informing affected
individuals of the status of the data breach and services that the
department was continuing to offer.
However, IRS denied VA's request for addresses for the second
notification because IRS concluded that, since the data had not been
compromised, there was no longer any potential impact on tax
administration and thus the address information could not be disclosed
a second time.
To carry out the notification, VA obtained the addresses it needed from
a commercial information reseller.[Footnote 11]
Other agencies also faced challenges in identifying addresses for all
individuals affected by data breaches. For example:
Although Education identified addresses for most of the individuals
affected by its data breach, it was not able to contact all of them.
Specifically, Education's contractor was unable to identify addresses
for 60 of the 13,756 affected individuals. Of the letters it sent to
the other 13,696 affected individuals, 619 were returned as
undeliverable, and the contractor then identified 560 alternative
addresses from parents of survey participants, school records, or
public database searches and mailed the letters again with the updated
address information to those addresses. This left 119 affected
individuals that the department was unable to contact through these
means.
Faced with the challenge of attempting to identify all affected
individuals and their addresses, Agriculture decided instead to mail
notification letters to all individuals included on their Tobacco
Transition Payment Program mailing list. While this approach likely
resulted in contact with most affected individuals, it did not provide
a guarantee that all affected individuals had been reached.
Likewise, Navy took broad action to notify affected persons of their
data breach rather than attempt to identify specific affected
individuals and their addresses. Navy issued an e-mail to notify all
current active and reserve Marines, published a notification in a
Marine quarterly newsletter issued to retired Marines, and posted two
news announcements (Washington Dateline on 4/4/06 and Marine Corps
Times on 4/10/06).
To improve federal agencies' ability to obtain contact information to
respond to a data breach, the Identity Theft Task Force proposed
directing federal agencies to publish a "routine use" for their systems
of records under the Privacy Act[Footnote 12] that would allow for the
disclosure of information such as addresses to assist in the response
to a breach of federal data.
If the disclosure of contact information in the event of data breaches
is specified as a routine use, a major obstacle would be removed from
other agencies providing addresses or other contact information to
affected agencies.
OMB has drafted guidance that incorporates the task force's
recommendation, which it plans to issue when the task force publishes
its final report.
Data Breach Notification Lessons Learned: Credit monitoring:
Determining when to offer credit monitoring to affected individuals
requires risk-based management decisions.
VA initially decided to provide affected individuals with credit
monitoring for one year. The department estimated that this would cost
about $160 million. Despite the substantial cost, VA officials believed
this service was an important element in protecting the personal
information of veterans and their beneficiaries.
Due to the substantial anticipated cost, VA initially requested a
supplemental appropriation of $131.5 million in fiscal year 2006.
However, VA subsequently decided not to offer credit monitoring
services after the stolen equipment was recovered and it was determined
that there was little risk of misuse.
In deciding when to provide credit monitoring services, other agencies
we reviewed primarily considered two key factors the cost of the
service and the risk of identity theft. Because of the high anticipated
cost, these agencies decided not to offer credit monitoring services or
to limit the availability of such services.
For example, after considering credit monitoring services,
Transportation Inspector General officials stated that their office
could not afford the estimated $500,000 per month cost.
Contractors representing Education and HHS provided credit monitoring
services only to those individuals who contacted them and specifically
requested the service. The notification letters sent to the affected
individuals did not mention that the service was available.
Other types of monitoring have been used in place of credit monitoring.
For example, commercial data breach analysis services are available to
analyze whether a particular data loss can be linked to reported cases
of identify theft.
According to the Identity Theft Task Force, data breach analysis can
assist an agency in determining whether the particular incident is the
source of identity theft, or whether reported cases of identity theft
are due to other causes. VA and Transportation both used data breach
analysis to help monitor whether there was evidence of identity theft
as a result of their data breaches.
The result of variations in approaches to credit monitoring and data
breach monitoring on the part of federal agencies is that individuals
who are exposed to the risk of identity theft may receive inconsistent
protection depending on the varying decisions made by the agencies that
suffered the data breaches.
The Identity Theft Task Force has noted that agencies may wish to
consider offering credit monitoring services and has advised that they
consider the seriousness of the risk of identity theft in doing so.
However, the task force did not develop specific guidance for making
such risk-based determinations. Such guidance would characterize the
risk levels of typical categories of breach incidents and recommend the
type of privacy protection services that would be most appropriate for
each category.
OMB has directed that agencies choosing to offer credit monitoring
services use blanket purchase agreements managed by GSA. However, it
also has not developed guidance for agencies on making risk-based
determinations on when to offer credit monitoring or when to contract
for data breach monitoring.
As seen in the varying decisions that federal agencies have made in how
and when to offer credit monitoring, affected individuals may not
always receive a consistent level of support from the federal
government when their personal information is compromised. As a result,
some may be more vulnerable to the adverse effects of identity theft
than others. Until guidance is available to promote consistent decision-
making by federal agencies, protections offered to affected individuals
are likely to remain inconsistent.
Data Breach Notification Lessons Learned: Interaction with the public:
Interaction with the public requires careful coordination and can be
resource-intensive.
VA invested substantially in facilities to help address follow-on
inquiries and provide information to support affected individuals.
With the support of the General Services Administration (GSA), VA
established a call center with the capacity to handle up to 260,000
calls a day. VA reprogrammed about $25 million to pay for this center.
(The volume of calls received was less than VA expected; according to a
GSA official, the call center received a total of about 250,000 calls.)
VA developed a citizen telephone response plan and assigned "response
approvers" to work with call center personnel who were interacting with
the public.
VA also developed an expedited approval process for updates to
information regarding the data breach to ensure that complete and
consistent information was made available to the public.
Other agencies have taken a variety of actions to establish call
centers to interact with the public. For example:
The contractor for Education set up a call center and logged each call,
e-mail, or letter received from an affected individual. Through
November 28, 2006, the center had logged 235 entries.
Transportation established a hotline for affected individuals to
contact if they suspected fraud. The hotline was staffed 24 hours a
day, seven days a week.
The contractor for HHS set up several call centers. From July 27
through July 31, 2006, a total of 1,406 individuals had contacted these
call centers.
The ID Theft Task Force addressed the use of call center support in its
September 2006 recommendations, which were subsequently promulgated by
OMB. Specifically, the task force recommended that agencies:
Consider implementing an announcement strategy in preparing for follow-
on inquiries about an incident. Such a strategy could include public
statements and Web site postings.
Prepare for follow-on inquiries from affected individuals by
establishing call centers staffed with individuals prepared to answer
the most frequently asked questions and by alerting other entities such
as credit reporting agencies.
Data Breach Notification Lessons Learned: Internal training and
awareness:
Internal training and awareness are critical to timely breach response,
including notification.
The slow response to the May 2006 VA incident highlighted the need for
personnel to be more aware of the agency's privacy and security
procedures, including incident response and reporting procedures.
Effective training and awareness of agency privacy and security
practices are essential for ensuring that staff are qualified to
effectively carry out agency policy. Because a prompt response is
critical, agency personnel must be prepared in advance with an
understanding of their roles and responsibilities in responding to a
data breach.
Federal guidance requires agencies to train staff at least annually on
their privacy and security responsibilities before permitting access to
information and information systems.
Recognizing the importance of privacy training and awareness, VA took
steps to reinforce its training of staff and contractors. For example,
On May 26, 2006, VA issued a directive to its leadership to reinforce
in each VA manager, supervisor, or team leader his or her duties and
responsibilities in protecting sensitive and confidential information.
VA directed all employees and contractors to complete its annual Cyber
Security Awareness Training and Privacy Awareness Training by June 30,
2006. This training was designed to make VA employees aware of their
responsibilities to protect sensitive information.
VA required all employees and contractors to sign a statement of
commitment and understanding subsequent to completion of the security
and privacy training to confirm their understanding of the training and
their commitment to protecting sensitive and confidential VA data.
During Security Awareness Week in June 2006, managers throughout VA
were tasked with reviewing information security and reinforcing privacy
obligations and responsibilities with their staff.
Privacy officers were tasked with ensuring that new employees complete
the agency's privacy awareness training within 30 days. They were also
tasked with identifying staff who use PH and observing their adherence
to privacy protection procedures.
Other agencies we reviewed have also taken steps to ensure that their
staff are effectively trained and aware of their privacy procedures.
For example:
Transportation launched a course to raise awareness of the proper
techniques for handling and protecting personal information. The
department required all employees to take this training by August 30,
2006.
Navy took steps to have its personnel sensitized to privacy by
requiring "stand down" Privacy Act training, issuing training aids, and
posting new policy guidance on the department's Web site.
In its May 2006 guidance, OMB directed agencies to remind their
employees of their responsibilities in safeguarding PII as well as the
rules for acquiring and using it and the penalties for violating those
rules.
Data Breach Notification Lessons Learned: Contractor responsibilities:
Contractor responsibilities for data breaches should be clearly
defined.
While the VA data breach did not involve contractors, the issue of
contractor responsibilities has figured prominently in three other
recent incidents (at Agriculture, Education, and HHS).
Under the Privacy Act, a contractor operating a system of records on
behalf of a federal agency is responsible for complying with the act.
However, as already discussed, existing laws (including the Privacy
Act) generally do not specifically address agency or contractor
responses to data breaches. Contractor obligations for taking steps
such as notifying affected individuals or providing credit monitoring
may be unclear unless specified in the contract.
Notifications were issued to affected individuals for each of the three
data breaches involving contractors. In two of the three incidents, the
contractor issued the notification.
Two of the three contractors established call centers and provided
credit monitoring services on request.
In response to the uncertainty regarding contractor responsibilities,
officials from VA and HHS suggested that the Federal Acquisition
Regulation address breach response requirements.
VA is in the process of establishing a VA-wide policy that ensures
contractor personnel are held to the same standards as VA employees.
HHS officials said they were in the process of developing guidance
requiring contractors to adhere to the department's privacy policies
and for new contracts to include requirements for contractors to follow
agency privacy policies.
The Identity Theft Task Force noted that when a data security breach
involves a federal contractor, the responsibility for complying with
notification procedures should be established with the contractor or
partner prior to entering the business relationship.
OMB has drafted guidance that incorporates the task force's
recommendation, which it plans to issue when the task force publishes
its final report.
Conclusions:
VA's data breach of May 2006 and other recent federal data breaches
provide valuable lessons learned for agencies about responding to such
incidents. Key government officials need to be informed promptly, and a
designated group of agency officials must be ready to make prompt
decisions about notification, which can be challenging if address
information is not readily available. Careful planning is needed to be
able to interact effectively with the public, training and awareness
are critical, and contractor roles and responsibilities must be
defined.
To its credit, OMB responded to the VA data breach by issuing guidance
and forwarding recommendations by the ID Theft Task Force that largely
address these lessons. However, the issue of how to make risk-based
determinations on when to offer credit monitoring and when to contract
for an alternative form of monitoring, such as data breach monitoring,
has not been addressed in guidance. Without such guidance, agencies are
likely to continue to make inconsistent decisions about what
protections to offer affected individuals.
Recommendation:
We recommend that the Director of OMB develop guidance for federal
agencies on conducting risk analyses to determine when to offer credit
monitoring and when to contract for an alternative form of monitoring,
such as data breach monitoring, to assist individuals at risk of
identity theft as a result of a federal data breach.
Agency Comments:
An OMB Policy Analyst in the Information Policy and Technology Branch
provided an e-mail message stating that OMB concurred with our
recommendation. OMB noted that while it is important that individuals
receive consistent responses and levels of support from federal
agencies, the same response or type of support will not be appropriate
in every situation. We agree that appropriate responses must be
tailored to address the circumstances of the breach and believe
additional guidance from OMB can facilitate consistent agency decision
making about such responses.
In oral comments on a draft of this briefing, VA officials, including
the VA/GAO Liaison, Office of Congressional and Legislative Affairs,
agreed with our results. VA also provided technical comments, which we
have incorporated into the briefing as appropriate.
Attachment I: Summary of Data Breaches at Five Agencies:
Agriculture (USDA) Date: January 19, 2006:
Summary of incident.
A Freedom of Information Act (FOIA) contractor for the Farm Services
Agency inadvertently released informational CDs that contained Social
Security numbers and tax identification data on tobacco producers/
contract holders under the agency's Tobacco Transition Payment Program.
On January 27, 2006, the contractor reviewed the data files that had
been released and determined that they contained PI I. The contractor
contacted all nine individuals who had received the data and all agreed
to return the unauthorized CDs and destroy any derived or copied
information.
Number of affected individuals: approximately 350,000:
Actions taken:
The contractor reported that it had contacted a FOIA official on
January 27, 2006, to inform him of the inadvertent release of PII to
nine external requesters. The contractor stated that the FOIA official
instructed the contractor to continue to work to recover the data and
not to notify USDA management of the data breach.
On February 9, the contractor met with USDA's chief Freedom of
Information Act officer and informed him of the data breach.
Between February 9 and 16, 2006, USDA officials assessed the nature and
magnitude of the data breach to determine how to best respond.
On February 17, 2006, the department mailed notices to all individuals
on its Tobacco Transition Payment Program mailing list.
Department of Defense (Navy)
Date: March 14, 2006:
Summary of incident:
The Marine Corps reported the loss of a thumb drive containing PII
names, Social Security numbers, and other information for enlisted
Marines serving on active duty from 2001 through 2005. The information
was being used for a research project on retention of service
personnel.
Navy officials considered the risk from the breach to be greatly
diminished since the thumb drive was lost on a government installation
and the drive's data were readable only through software that was
password protected and "considered in limited distribution."
Navy reported that there has been no evidence that the information was
compromised.
Number of affected individuals: 207,570:
Actions taken:
Navy officials contacted the three credit bureaus and they agreed to
offer free fraud alert on credit files of the affected individuals for
up to 24 months.
The Marine Corps took a number of actions to notify affected
individuals, including:
* issuing an electronic notice to all current active and reserve
Marines on March 24, 2006;
* publishing notification in the April-June issue of a quarterly
newsletter (Semper Fidelis) issued to retired Marines; and:
* publishing news announcements in the Washington DateLine (April 4,
2006) and Marine Corps Times (April 10, 2006).
The notifications, among other things, encouraged affected individuals
to visit the Federal Trade Commission's Web site for identity theft
guidance, informed them of free fraud alert services, and suggested
that they review their credit reports for suspicious activities.
Education:
Date: June 19, 2006:
Summary of incident. A contractor for the department's National Center
for Education Statistics sent a compact disc (CD) containing PII,
including names and Social Security numbers via Federal Express to
department officials for file-matching to the National Student Loan
Data System. The CD, which was password protected, was lost in transit.
Number of affected individuals: 13,756:
Actions taken:
On Friday, June 23, 2006, Education officials contacted the contractor
because they had not yet received the CD. Both the contractor and
Education contacted Fed Ex on that day. Fed Ex had a record of the CD
being picked up but no further information.
On Monday, June 26th, the contractor called Fed Ex to let them know
that the package contained a CD and to determine whether it had been
located. The contractor continued to monitor the status of the lost
package.
On July 12, 2006, the contractor filed an incident report with its
Institutional Review Board (IRB). The commissioner of the department's
National Center for Education Statistics was made aware of the data
loss on the same day that the contractor filed the incident report with
its I IRB. The commissioner decided that transfer of PII should cease
and that a secure server should be established for the transfer of PII.
Such a secure server went into use on August 1, 2006, and the
restriction on data transfer was lifted.
The IRB monitored the efforts, ultimately unsuccessful, to recover the
lost CD. On August 15, 2006, even though the search was not finally
completed, the IRB directed the contractor to draft a notification
letter. At its meeting on September 19, 2006, the IRB approved the
draft letter for mailing.
On October 2, 2006, notification letters were mailed to individuals for
whom address information was available (13,696 of the 13,756 affected
individuals). The notice included an attached list of recommended
actions in the event the affected individual noticed any suspicious
activities concerning their financial accounts.
Of the 13,696 letters that were mailed, 619 had been returned as
undeliverable by November 27, 2006. Of these, the department was able
to identify 560 alternative addresses and the contractor mailed the 560
letters again.
Health and Human Services (HHS):
Date: June 22, 2006:
Summary of incident. An HHS Centers for Medicare & Medicaid Services
(CMS) contractor reported the theft of a contractor employee's laptop
computer from his office. The computer contained PII including names,
telephone numbers, medical record numbers, and dates of birth.
Number of affected individuals: 49,572 Medicare beneficiaries:
Actions taken:
On June 22, 2006, the CMS contractor notified regional security of the
incident and filed a police report.
On July 10, 2006, the contractor notified CMS of the incident.
Between July 26 and July 31, 2006, a CMS-approved notification letter
was sent to the affected individuals. The letter included the CMS
contractor's Notice of Privacy Practices and also provided guidance on
placing fraud alerts on credit accounts by contacting the appropriate
credit agencies. The CMS contractor set up call centers.
From July 27 through July 31, 2006, a total of 1,406 members contacted
the call centers. Although not offered in the notification letter, the
CMS contractor offered one-year free credit monitoring to those who
made telephone inquiries. A total of 141 members accepted the credit
monitoring service.
Transportation:
Date: July 27, 2006:
Summary of incident. A laptop computer containing PII including names,
addresses, Social Security numbers, and dates of birth on Florida
drivers and others was stolen from a parked car.
Number of affected individuals: Approximately 133,000 persons: 81,160
persons issued commercial drivers licenses in Miami-Dade County; 42,800
persons in Florida with Federal Aviation Administration pilot
certificates; and 9,000 persons with Florida driver's licenses.
Actions taken:
On August 5, 2006, after learning that the stolen laptop contained PII,
the acting Inspector General (IG) immediately ordered an investigation
to recover the stolen laptop. The Office of Inspector General (OIG)
also established a $10,000 reward for information leading to the
recovery of the laptop and/or arrest of the perpetrator.
On August 9, 2006, the acting IG posted open letters on the OIG Web
site to the Florida governor, Florida Congressional delegation and
Chairs and Ranking Members of Department of Transportation Oversight
Committees and Subcommittees discussing the incident.
On August 14, 2006, the OIG began mailing letters to affected
individuals, notifying them of the incident and providing information
on actions that they could take to prevent identify theft.
The OIG established a hotline for affected individuals to contact if
they suspected fraud. The hotline was staffed 24 hours a day, seven
days a week.
The OIG also awarded a contract to a risk management company (ID
Analytics, Inc.) to provide data breach analysis services to determine
whether any PII of the affected individuals was being exploited. The
company is to provide the IG with quarterly reports over a two-year
period.
[End of section]
Appendix II: Comments from the Office of Management and Budget:
Executive Office Of The President:
Office Of Management And Budget:
Washington, D.C. 20503:
April 23, 2007:
Ms. Linda D. Koontz:
Director:
Information Management Issues:
Government Accountability Office:
441 G Street, SW:
Washington, DC 20548:
Dear Ms. Koontz:
Thank you for the opportunity to comment on the draft Government
Accountability Office (GAO) report, "Lessons Learned about Data Breach
Notification" (code 310875), addressing the privacy implications
resulting from data breaches.
In this report, GAO recommends that the Office of Management and Budget
(OMB) develop guidance on conducting risk analyses to determine when to
offer credit monitoring and when to contract for an alternative form of
monitoring, such as data breach monitoring, to assist individuals at
risk of identity theft as a result of a federal data breach. The report
also includes a definition for the term "personally identifiable
information."
OMB concurs with GAO's recommendation. Consistent responses to data
breaches can be achieved through consistent application of a risk-based
analysis of the relevant circumstances. Providing further guidance and
a risk-based framework will enable federal agencies to determine the
appropriate response which is focused on treating citizens fairly,
founded on the type of information lost, and commensurate with the
level of risk of identity theft.
It is important for individuals affected when their personal
information, including personally identifiable information, has been
compromised to receive consistent responses and levels of support from
the federal agency involved in the breach; however, it is important to
note the same particular response and/or type of support will not be
appropriate, or even necessary, for every situation.
For example, a few of the many factors considered when deciding whether
to provide services following a breach, such as credit monitoring or
data breach monitoring services, include the type of information lost,
cost of the service being considered, risk of identity theft for the
affected individuals, and likelihood the service will reduce this risk.
These and other factors differ in each situation. As such, the
appropriate response must be tailored to address each particular set of
circumstances.
Additionally, the report includes a definition for the term "personally
identifiable information" (PII) which is the same as one included in
the draft policy memorandum, "Safeguarding Against and Responding to
the Breach of Personally Identifiable Information," OMB recently
circulated for interagency comment. OMB notes the definition of this
term will likely be revised in the final policy based on comments
received. As such, OMB suggests the language of the definition for PII
should be clarified in the report as tentative language.
Thank you for the opportunity to review and comment on the draft report
on this important issue. Protection of personal information, both
generally and our response to data breaches, is vital to ensuring the
trust of the American people in the federal government.
Sincerely,
Signed by:
Karen Evans:
Administrator:
Office of E-Government and Information Technology:
Office of Management and Budget:
[End of section]
Appendix III: Comments from the Department of Veterans Affairs:
The Secretary Of Veterans Affairs:
Washington:
April 19, 2007:
Ms. Linda D. Koontz:
Director:
Information Management Issues:
U. S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Ms. Koontz:
The Department of Veterans Affairs (VA) has reviewed the Government
Accountability Office's (GAO) draft report: Privacy: Lessons Learned
about Data Breach Notification (GAO-07-657) and agrees with its
findings. VA also agrees with GAO's recommendations that the Director
of the Office of Management and Budget develop guidance for Federal
agencies on conducting risk analyses to determine when to offer credit
monitoring and when to contract for an alternative form of monitoring,
such as data breach monitoring, to assist individuals at risk of
identity theft as a result of a Federal data breach.
The Department is finalizing its new data breach regulation that
implements the Veterans Benefits, Health Care, and Information
Technology Act of 2006, Public Law 109-461. The new Part 75 will follow
the statutory framework of 38 U.S.C. 5724. Under this authority, upon
the discovery of a data breach, VA must ensure that a non-VA entity or
VA's Office of Inspector General conducts an independent risk analysis
to determine the level of risk associated with the data breach for the
potential misuse of any sensitive personal information. If the
Secretary determines, based on the findings of the risk analysis, that
a reasonable risk exists for the potential misuse of sensitive personal
information, the statute requires that the Secretary provide
notification to the affected individuals and may provide one or more of
the following: credit monitoring, fraud resolution services, and
identity theft insurance.
Sincerely yours,
Signed by:
R. James Nicholson:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Linda D. Koontz, (202) 512-6240:
Staff Acknowledgments:
In addition to the individual named above, other key contributors to
the report were John de Ferrari, Assistant Director; Michael A.
Alexander; and Nancy Glover.
(310785):
FOOTNOTES
[1] "Personally identifiable information" refers to any information
about an individual maintained by an agency, including any information
that can be used to distinguish or trace an individual's identity, such
as their name, Social Security Number, date and place of birth,
mother's maiden name, biometric records, etc., and any other personal
information which is linked or linkable to an individual.
[2] The recently enacted Department of Veterans Affairs Information
Security Enhancement Act of 2006, Pub. L. No. 109-461 requires VA to
issue interim regulations for the provision of certain services,
including notification, in the event a data breach of veterans'
sensitive personal information results in a determination that a
reasonable risk exists for the potential misuse of the information.
[3] GAO, Privacy: Preventing and Responding to Improper Disclosures of
Personal Information, GAO-06-833T (Washington, D.C.: June 8, 2006).
[4] Title IX of this statute contains the Department of Veterans
Affairs Information Security Enhancement Act of 2006 referred to on
page 1.
[5] Personally Identifiable Information refers to any information about
an individual maintained by an agency, including any information that
can be used to distinguish or trace an individual's identity, such as
their name, social security number, date and place of birth, mother's
maiden name, biometric records, etc., and any other personal
information which is linked or linkable to an individual.
[6] For detailed information about the facts and circumstances
surrounding the VA data breach incident, see Department of Veterans
Affairs Office of Inspector General, Review of Issues Related to the
Loss of VA Information Involving the Identity of Millions of Veterans,
Report No. 06-02238-163 (Washington, D.C.: July 11, 2006).
[7] The recently enacted Department of Veterans Affairs Information
Security Enhancement Act of 2006, Pub. L. No. 109-461, requires VA to
issue interim regulations for the provision of certain services,
including notification, in the event a data breach of veterans'
sensitive personal information results in a determination that a
reasonable risk exists for the potential misuse of the information.
[8] GAO, Privacy: Preventing and Responding to Improper Disclosures of
Personal Information, GAO-06-833T (Washington, D.C.: June 8, 2006).
[9] Committee on Government Reform, Staff Report: Agency Data Breaches
Since January 1, 2003 (Washington, D.C; Oct. 13, 2006).
[10] OMB, Reporting Incidents Involving Personally Identifiable
Information and Incorporating the Cost for Security in Agency
Information Technology Investments, Memorandum M-06-19 (Washington,
D.C; July 12, 2006).
[11] Information resellers are companies that amass and sell data,
including personal data, from many sources.
[12] A "system of records" is defined by the Privacy Act as a group of
records from which information is retrieved by personal identifier. The
act requires that agencies issue public notices that define, among
other things, "routine uses" of the information in these systems-uses
that are compatible with the purpose for which the information was
originally collected.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
