Lessons Learned about Data Breach Notification
GAO-07-657, Apr 30, 2007
A May 2006 data breach at the Department of Veterans Affairs (VA) and other similar incidents since then have heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding effectively to a breach that poses privacy risks. GAO's objective was to identify lessons learned from the VA data breach and other similar federal data breaches regarding effectively notifying government officials and affected individuals about data breaches. To address this objective, GAO analyzed documentation and interviewed officials at VA and five other agencies regarding their responses to data breaches and their progress in implementing standardized data breach notification procedures. The cases at the other agencies were chosen because, like the VA case, they involved loss or theft of computing equipment and relatively large numbers of affected individuals (10,000 or more).
Based on the experience of VA and other federal agencies in responding to data breaches, GAO identified the following lessons learned regarding how and when to notify government officials, affected individuals, and the public: (1) rapid internal notification of key government officials is critical; (2) because incidents vary, a core group of senior officials should be designated to make decisions regarding an agency's response; (3) mechanisms must be in place to obtain contact information for affected individuals; (4) determining when to offer credit monitoring to affected individuals requires risk-based management decisions; (5) interaction with the public requires careful coordination and can be resource-intensive; (6) internal training and awareness are critical to timely breach response, including notification; and (7) contractor responsibilities for data breaches should be clearly defined. These lessons have largely been addressed in guidance issued in 2006 from the Office of Management and Budget (OMB), which is responsible for overseeing security and privacy within the federal government. However, guidance to assist agency officials in making consistent risk-based determinations about when to offer credit monitoring or other protection services has not been developed. Without such guidance, agencies are likely to continue to make inconsistent decisions about what protections to offer affected individuals, potentially leaving some people more vulnerable than others.
- Closed - implemented
- Closed - not implemented
Recommendation for Executive Action
Recommendation: The Director of OMB should develop guidance for federal agencies on conducting risk analyses to determine when to offer credit monitoring and when to contract for an alternative form of monitoring, such as data breach monitoring, to assist individuals at risk of identity theft as a result of a federal data breach.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Not Implemented
Comments: In written comments on our report, the Administrator, Office of E-Government and Information Technology, Office of Management and Budget (OMB), stated that the office concurred with our recommendation. OMB's stated position was that further guidance and a risk-based framework would be sufficient to enable federal agencies to determine the appropriate response to a federal data breach commensurate with the level of risk of identify theft. On May 22, 2007, OMB issued guidance--Safeguarding Against and Responding to the Breach of Personally Identifiable Information--that is consistent with its stated position and offers a general framework for a risk-based response to data breaches. However, this document does not provide guidance to agencies specifically on when to offer credit monitoring or when to contract for an alternative form of monitoring, such as data breach monitoring, to assist individuals at risk of identity theft. As of August 2011, OMB has not revised this guidance or created new guidance to address when to offer credit monitoring or other services to individuals.