GAO-06-833T, Privacy: Preventing and Responding to Improper Disclosures of Personal Information


This is the accessible text file for GAO report number GAO-06-833T 
entitled 'Privacy: Preventing and Responding to Improper Disclosures of 
Personal Information' which was released on June 8, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO: 

Testimony: 

Committee on Government Reform, House of Representatives: 

For Release on Delivery: 

Expected at 10 a.m. EDT Thursday, June 8, 2006: 

Privacy: 

Preventing and Responding to Improper Disclosures of Personal 
Information: 

Statement of David M. Walker: 

Comptroller General of the United States: 

GAO-06-833T: 

GAO Highlights: 

Highlights of GAO-06-833T, a testimony before the Committee on 
Government Reform, House of Representatives. 

Why GAO Did This Study: 

The recent security breach at the Department of Veterans Affairs, in 
which personal data on millions of veterans were compromised, has 
highlighted the importance of the federal government’s processes for 
protecting personal information. As the federal government obtains and 
processes information about individuals in increasingly diverse ways, 
it remains critically important that it properly protect this 
information and respect the privacy rights of individuals. 

GAO was asked to testify on preventing and responding to improper 
disclosures of personal information in the federal government, 
including how agencies should notify individuals and the public when 
breaches occur. In preparing this testimony, GAO drew on its previous 
reports and testimonies, as well as on expert opinion provided in 
congressional testimony and other sources. 

What GAO Found: 

Agencies can take a number of actions to help guard against the 
possibility that databases of personally identifiable information are 
inadvertently compromised. Two key steps are as follows:
* Develop a privacy impact assessment—an analysis of how personal 
information is collected, stored, shared, and managed—whenever 
information technology is used to process personal information. These 
assessments, required by the E-Government Act of 2002, are a tool for 
agencies to fully consider the privacy implications of planned systems 
and data collections before implementation, when it may be easier to 
make critical adjustments.
* Ensure that a robust information security program is in place, as 
required by the Federal Information Security Management Act of 2002 
(FISMA). Such a program includes periodic risk assessments; security 
awareness training; security policies, procedures, and practices, as 
well as tests of their effectiveness; and procedures for addressing 
deficiencies and for detecting, reporting, and responding to security 
incidents. More specific practical measures aimed at preventing 
inadvertent data breaches include limiting the collection of personal 
information, limiting the time that such data are retained, limiting 
access to personal information and training personnel accordingly, and 
considering the use of technological controls such as encryption when 
data need to be stored on mobile devices. 

When data breaches do occur, notification to the individuals affected 
and/or the public has clear benefits, allowing people the opportunity 
to take steps to protect themselves against the dangers of identity 
theft. Although existing laws do not require agencies to notify the 
public when data breaches occur, such notification is consistent with 
agencies’ responsibility to inform individuals about how their 
information is being accessed and used, and it promotes accountability 
for privacy protection. That said, care is needed in defining 
appropriate criteria for incidents that merit notification. Notifying 
individuals of security incidents that do not pose serious risks could 
be counterproductive and costly, while giving too much discretion to 
agencies could result in their avoiding the disclosure of potentially 
harmful breaches. Care is also needed to ensure that notices are useful 
and easy to understand, so that they are effective in alerting 
recipients to actions they may want to take to minimize the risk of 
identity theft. Among other things, it is important to provide context 
in the notice—explaining to recipients why they are receiving a notice 
and what to do about it. It is also important the notices be 
coordinated with law enforcement to avoid impeding ongoing 
investigations. Given that individuals may be adversely impacted by a 
compromise of their personal information, it is critical that they 
fully understand the nature of the threat and the options they have to 
address it. 

What GAO Recommends: 

GAO has made recommendations previously to agencies and to the Office 
of Management and Budget (OMB), which provides guidance to agencies on 
implementing federal privacy and security laws, to ensure that they are 
adequately addressing security and privacy issues. In addition, in 
considering security breach notification legislation, the Congress 
should consider setting specific reporting requirements for agencies. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-833T]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Linda Koontz at (202) 512-
6240 or koontzl@gao.gov. 

[End of Section] 

Mr. Chairman and Members of the Committee: 

I appreciate the opportunity to be here today to discuss key challenges 
federal agencies face in safeguarding personally identifiable 
information[Footnote 1] in their custody and taking action when that 
information is compromised. As the federal government obtains and 
processes personal information about individuals in increasingly 
diverse ways, it remains critically important that this information be 
properly protected and the privacy rights of individuals respected. 
Recently, as you know, personal data on millions of veterans was stolen 
from the home of an employee of the Department of Veterans Affairs, who 
had not been authorized to have the data at home. Compromises such as 
this raise important questions about what steps agencies should take to 
prevent such compromises and how they should notify citizens when 
breaches do occur. 

As requested, my statement will focus on preventing and responding to 
improper disclosures of personal information in the federal government, 
including notifying the public about such security breaches. After a 
brief summary and discussion of the federal laws and guidance that 
apply to agency use of personal information, I will discuss potential 
measures that federal agencies can take to help limit the likelihood of 
personal information being compromised and then highlight key benefits 
and challenges associated with effectively notifying the public about 
security breaches. 

To address measures that agencies can take to help limit the likelihood 
of personal information being compromised, we identified and summarized 
issues raised by experts in congressional testimony and in our previous 
reports, including our recent work regarding the federal government's 
use of personal information from companies known as information 
resellers.[Footnote 2] We conducted the work for these reports in 
accordance with generally accepted government auditing standards. To 
identify benefits and challenges associated with effectively notifying 
the public about security breaches, we summarized expert opinion from 
congressional testimony as well as key practices identified at a 
Department of Homeland Security (DHS) privacy workshop, by the state of 
California, and by the Federal Trade Commission. To provide additional 
information on our previous privacy-related work, I have included, as 
an attachment, a list of 20 pertinent GAO publications. 

Results in Brief: 

Agencies can take a number of actions to help guard against the 
possibility that databases of personally identifiable information are 
inadvertently compromised. Two key steps are (1) to develop a privacy 
impact assessment--an analysis of how personal information is 
collected, stored, shared, and managed in a federal information system-
-whenever information technology is used to process personal 
information and (2) to ensure that a robust information security 
program is in place, as required by the Federal Information Security 
Management Act of 2002 (FISMA). More specific practical measures aimed 
at preventing inadvertent data breaches include limiting the collection 
of personal information, limiting data retention, limiting access to 
personal information and training personnel accordingly, and 
considering using technological controls such as encryption when data 
need to be stored on mobile devices. 

When data breaches do occur, notification to the individuals affected 
and/or the public has clear benefits, allowing people the opportunity 
to take steps to protect themselves against the dangers of identity 
theft. It is also consistent with agencies' responsibility to inform 
individuals about how their information is being accessed and used and 
promotes accountability for its protection. At the same time, concerns 
have been raised that notifying individuals of security incidents that 
do not pose serious risks could be counterproductive and costly. Care 
is needed in defining appropriate criteria if agencies are required to 
report security breaches to the public, including coordinating with law 
enforcement. Care is also needed to ensure that notices are useful and 
easy to understand so that they are effective in alerting individuals 
to actions they may want to take to minimize the risk of identity 
theft. 

We have made recommendations previously to OMB and agencies to ensure 
they are adequately addressing privacy issues, including through the 
conduct of privacy impact assessments. We have also recommended that 
OMB implement improvements in its annual FISMA reporting guidance to 
help improve oversight of agency information security programs. In 
addition, the Congress should consider setting specific reporting 
requirements for agencies as part of its consideration of security 
breach legislation. Further Congress should consider requiring OMB to 
provide guidance to agencies on how to develop and issue security 
breach notices to affected individuals. 

Background: 

The recent theft of personally identifiable information on millions of 
veterans is only the latest of a series of such data breaches involving 
the loss or theft of information on magnetic tapes, computer hard 
drives, and other devices, as well as incidents in which individuals 
gained unauthorized access to large commercial databases of such 
information. Concerns about possible identity theft resulting from such 
breaches are widespread. The Federal Trade Commission (FTC) reported in 
2005 that identity theft represented about 40 percent of all the 
consumer fraud complaints it received during each of the last 3 
calendar years. Identity theft generally involves the fraudulent use of 
another person's identifying information--such as name, address, Social 
Security number, date of birth, or mother's maiden name--to establish 
credit, run up debt, or take over existing financial accounts. 
According to identity theft experts, individuals whose identities have 
been stolen can spend months or years and thousands of dollars clearing 
their names. Some individuals have lost job opportunities, been refused 
loans, or even been arrested for crimes they did not commit as a result 
of identity theft. 

Several Key Laws Govern Agency Privacy Practices: 

Federal agencies are subject to security and privacy laws aimed in part 
at preventing security breaches, including breaches that could enable 
identity theft. The major requirements for the protection of personal 
privacy by federal agencies come from two laws, the Privacy Act of 1974 
and the E-Government Act of 2002. FISMA also addresses the protection 
of personal information in the context of securing federal agency 
information and information systems. 

The Privacy Act places limitations on agencies' collection, disclosure, 
and use of personal information maintained in systems of records. The 
act describes a "record" as any item, collection, or grouping of 
information about an individual that is maintained by an agency and 
contains his or her name or another personal identifier. It also 
defines "system of records" as a group of records under the control of 
any agency from which information is retrieved by the name of the 
individual or by an individual identifier. The Privacy Act requires 
that when agencies establish or make changes to a system of records, 
they must notify the public by a "system-of-records notice" that is, a 
notice in the Federal Register identifying, among other things, the 
type of data collected, the types of individuals about whom information 
is collected, the intended "routine" uses of data, and procedures that 
individuals can use to review and correct personal 
information.[Footnote 3] Among other provisions, the act also requires 
agencies to define and limit themselves to specific predefined 
purposes. 

The Office of Management and Budget (OMB), which is responsible for 
providing guidance to agencies on how to implement the provisions of 
the Privacy Act and other federal privacy and security laws, recently 
issued a memorandum reminding agencies of their responsibilities under 
the Privacy Act, other laws, and policy to appropriately safeguard 
sensitive personally identifiable information and train employees on 
their responsibilities in this area.[Footnote 4] The memo called on 
agency senior privacy officials to conduct a review of policies and 
processes to make sure adequate safeguards are in place to prevent the 
intentional or negligent misuse of, or unauthorized access to, 
personally identifiable information. 

The provisions of the Privacy Act are largely based on a set of 
principles for protecting the privacy and security of personal 
information, known as the Fair Information Practices, which were first 
proposed in 1973 by a U.S. government advisory committee;[Footnote 5] 
these principles were intended to address what the committee termed a 
poor level of protection afforded to privacy under contemporary law. 
Since that time, the Fair Information Practices have been widely 
adopted as a standard benchmark for evaluating the adequacy of privacy 
protections. Attachment 2 contains a summary of the widely used version 
of the Fair Information Practices adopted by the Organization for 
Economic Cooperation and Development in 1980. 

The E-Government Act of 2002 strives to enhance protection for personal 
information in government information systems by requiring that 
agencies conduct privacy impact assessments (PIA). A PIA is an analysis 
of how personal information is collected, stored, shared, and managed 
in a federal system. More specifically, according to OMB 
guidance,[Footnote 6] a PIA is to (1) ensure that handling conforms to 
applicable legal, regulatory, and policy requirements regarding 
privacy; (2) determine the risks and effects of collecting, 
maintaining, and disseminating information in identifiable form in an 
electronic information system; and (3) examine and evaluate protections 
and alternative processes for handling information to mitigate 
potential privacy risks. To the extent that PIAs are made publicly 
available,[Footnote 7] they provide explanations to the public about 
such things as the information that will be collected, why it is being 
collected, how it is to be used, and how the system and data will be 
maintained and protected. 

FISMA also addresses the protection of personal information. FISMA 
defines federal requirements for securing information and information 
systems that support federal agency operations and assets; it requires 
agencies to develop agencywide information security programs that 
extend to contractors and other providers of federal data and 
systems.[Footnote 8] Under FISMA, information security means protecting 
information and information systems from unauthorized access, use, 
disclosure, disruption, modification, or destruction, including 
controls necessary to preserve authorized restrictions on access and 
disclosure to protect personal privacy, among other things. Your 
committee has issued annual report cards on federal government 
information security based on reports submitted by agencies as required 
by FISMA. 

Interest in Data Breach Notification Legislation Has Increased: 

Federal laws to date have not required agencies to report security 
breaches to the public,[Footnote 9] although breach notification has 
played an important role in the context of security breaches in the 
private sector. For example, California state law requires businesses 
to notify consumers about security breaches that could directly affect 
them. Legal requirements, such as the California law, led ChoicePoint, 
a large information reseller,[Footnote 10] to notify its customers in 
mid-February 2005 of a security breach in which unauthorized persons 
gained access to personal information from its databases. Since the 
ChoicePoint notification, bills were introduced in at least 44 states 
and enacted in at least 29[Footnote 11] that require some form of 
notification upon a security breach. 

A number of congressional hearings were held and bills introduced in 
2005 in the wake of the ChoicePoint security breach as well as 
incidents at other firms. In March 2005, the House Subcommittee on 
Commerce, Trade, and Consumer Protection of the House Energy and 
Commerce Committee held a hearing entitled "Protecting Consumers' Data: 
Policy Issues Raised by ChoicePoint," which focused on potential 
remedies for security and privacy concerns regarding information 
resellers. Similar hearings were held by the House Energy and Commerce 
Committee and by the U.S. Senate Committee on Commerce, Science, and 
Transportation in spring 2005. 

Several bills introduced at the time of these hearings, such as the 
Data Accountability and Trust Act,[Footnote 12] would establish a 
national requirement for companies that maintain personal information 
to notify the public of security breaches. While many of these 
proposals were focused on private sector companies rather than the 
federal government, they could be applied to any organizations that 
collect and maintain significant amounts of personally identifiable 
information. The Notification of Risk to Personal Data Act[Footnote 13] 
would explicitly include federal agencies, requiring them as well as 
any "persons engaged in interstate commerce" to disclose security 
breaches involving unauthorized acquisition of personal data. 

Agencies Can Take Steps to Reduce the Likelihood That Personal Data 
Will Be Compromised: 

A number of actions can be taken to help guard against the possibility 
that personal information maintained by agencies is inadvertently 
compromised. I will focus my remarks today on key strategic approaches 
for safeguarding personal information as well as a few practical 
measures that could be critical in preventing data breaches. I will not 
discuss at length the broader topic of information security in the 
federal government, which both the committee and GAO have addressed 
extensively in the past.[Footnote 14] Key strategic approaches include 
the following: 

Conduct privacy impact assessments (PIAs). It is important that 
agencies identify the specific instances in which they collect and 
maintain personal information and proactively assess the means they 
intend to use to protect this information. This can be done most 
effectively through the development of PIAs, which, as I previously 
mentioned, are required by the E-Government Act of 2002 when using 
information technology to process personal information. PIAs are 
important because they serve as a tool for agencies to fully consider 
privacy implications of planned systems and data collections before 
those systems and collections have been fully implemented, when it may 
be relatively easy to make critical adjustments. 

In prior work we have found that agencies do not always prepare PIAs as 
they are required. For example, our review of selected data mining 
efforts at federal agencies[Footnote 15] determined that PIAs were not 
always being done in full compliance with OMB guidance. Similarly, as 
identified in our work on federal agency use of information 
resellers,[Footnote 16] few PIAs were being developed for systems or 
programs that made use of information reseller data because officials 
did not believe they were required. Complete assessments are an 
important tool for agencies to identify areas of noncompliance with 
federal privacy laws, evaluate risks arising from electronic collection 
and maintenance of information about individuals, and evaluate 
protections or alternative processes needed to mitigate the risks 
identified. Agencies that do not take all the steps required to protect 
the privacy of personal information risk the improper exposure or 
alteration of such information. We recommended that the agencies 
responsible for the data mining efforts we reviewed complete or revise 
PIAs as needed and make them available to the public. We also 
recommended that OMB revise its guidance to clarify the applicability 
of the E-Gov Act's PIA requirement to the use of personal information 
from resellers. OMB stated that it would discuss its guidance with 
agency senior officials for privacy to determine whether additional 
guidance concerning reseller data was needed. 

Ensure that a robust security program is in place. FISMA requires each 
agency to develop, document, and implement an agencywide information 
security program to provide security for the information and 
information systems that support the operations and assets of the 
agency, including those provided or managed by another agency, 
contractor, or other source. Key elements of this program include: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information or information systems; 

* risk-based policies and procedures that cost-effectively reduce risks 
to an acceptable level and ensure that security is addressed throughout 
the life cycle of each information system; 

* security awareness training for agency personnel, including 
contractors and other users of information systems that support the 
operations and assets of the agency; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices; 

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies through plans of action and 
milestones; and: 

* procedures for detecting, reporting, and responding to security 
incidents. 

* In prior reviews we have repeatedly identified weaknesses in almost 
all areas of information security controls at major federal agencies, 
and we have identified information security as a high risk area across 
the federal government since 1997. In July 2005, we reported that 
pervasive weaknesses in the 24 major agencies' information security 
policies and practices threatened the integrity, confidentiality, and 
availability of federal information and information systems.[Footnote 
17] These weaknesses existed primarily because agencies had not yet 
fully implemented strong information security management programs, as 
needed to fully meet FISMA requirements. We recommended that OMB 
implement improvements in its annual FISMA reporting guidance to help 
improve oversight of agency information security programs. In March 
2006, we reported that OMB had taken several actions to improve 
reporting and could further enhance the reliability and quality of 
reported information.[Footnote 18] 

* In the course of taking strategic approaches to protecting the 
privacy and security of personal information, agencies will likely 
consider a range of specific practical measures. Several that may be of 
particular value in preventing inadvertent data breaches include the 
following: 

* Limit collection of personal information. One item to be analyzed as 
part of a PIA is the extent to which an agency needs to collect 
personal information in order to meet the needs of a specific 
application. Limiting the collection of personal information, among 
other things, serves to limit the opportunity for that information to 
be compromised. For example, key identifying information--such as 
Social Security numbers--may not be needed for many agency applications 
that have databases of other personal information. Limiting the 
collection of personal information is also one of the fair information 
practices, which are fundamental to the Privacy Act and to good privacy 
practice in general. 

* Limit data retention. Closely related to limiting data collection is 
limiting retention. Retaining personal data longer than needed by an 
agency or statutorily required adds to the risk that the data will be 
compromised. In discussing data retention, California's Office of 
Privacy Protection recently reported an example in which a university 
experienced a security breach that exposed 15-year-old data, including 
Social Security numbers. The university subsequently reviewed its 
policies and decided to shorten the retention period for certain types 
of information.[Footnote 19] Federal agencies can make decisions up 
front about how long they plan to retain personal data as part of their 
PIAs, aiming to retain the data for as brief a period as necessary. 

* Limit access to personal information and train personnel accordingly. 
Only individuals with a need to access agency databases of personal 
information should have such access, and controls should be in place to 
monitor that access. Further, agencies can implement technological 
controls to prevent personal data from being readily transferred to 
unauthorized systems or media, such as laptop computers, discs, or 
other electronic storage devices. Security training, which is required 
for all federal employees under FISMA, can include training on the 
risks of exposing personal data to potential identity theft, thus 
helping to reduce the likelihood of data being exposed inadvertently. 

* Consider using technological controls such as encryption when data 
needs to be stored on mobile devices. In certain instances, agencies 
may find it necessary to enable employees to have access to personal 
data on mobile devices such as laptop computers. As discussed, this 
should be minimized. However, when absolutely necessary, the risk that 
such data could be exposed to unauthorized individuals can be reduced 
by using technological controls such as encryption, which significantly 
limits the ability of such individuals gaining access to the data. 
While encrypting data adds to the operational burden on authorized 
individuals, who must enter pass codes or use other authentication 
means to decrypt the data, it can provide reasonable assurance that 
stolen or lost computer equipment will not result in personal data 
being compromised, as occurred in the recent incident at the Department 
of Veterans Affairs. A decision about whether to use encryption would 
logically be made as an element of the PIA process and an agency's 
broader information security program. 

* While these suggestions do not amount to a complete prescription for 
protecting personal data, they are key elements of an agency's strategy 
for reducing the risks that could lead to identity theft. 

Public Notification of Data Breaches Has Clear Benefits as Well as 
Challenges: 

I just discussed some preventive measures agencies can take to avoid a 
data breach. However, in the event an incident does occur, agencies 
must respond quickly in order to minimize the potential harm associated 
with identity theft. Applicable laws such as the Privacy Act currently 
do not require agencies to notify individuals of security breaches 
involving their personal information; however, doing so allows those 
affected the opportunity to take steps to protect themselves against 
the dangers of identity theft. For example, the California data breach 
notification law is credited with bringing to the public's notice large 
data breaches within the private sector, including at information 
resellers such as ChoicePoint and LexisNexis last year. Although we do 
not know how many instances of identity theft resulted from last year's 
data breaches, the Federal Trade Commission has previously reported 
that the overall cost of an incident of identity theft, as well as the 
harm to the victims, is significantly smaller if the misuse of the 
victim's personal information is discovered quickly.[Footnote 20] 
Arguably, the California law may have mitigated the risk of identity 
theft to affected individuals by keeping them informed about data 
breaches and thus enabling them to take steps such as contacting credit 
bureaus to have fraud alerts placed on their credit files, obtaining 
copies of their credit reports, scrutinizing their monthly financial 
account statements, and taking other steps to protect themselves. The 
chairman of the Federal Trade Commission has testified that the 
Commission believes that if a security breach creates a significant 
risk of identity theft or other related harm, affected consumers should 
be notified.[Footnote 21] 

Breach notification is also important in that it can help an 
organization address key privacy rights of individuals. These rights 
are based on the fair information practices (see attachment 2); these 
principles have been widely adopted and are the basis of privacy laws 
and related policies in many countries, including the United States. In 
particular, the openness principle states that the public should be 
informed about privacy policies and practices, and individuals should 
have ready means of learning about the use of personal information. 
Breach notification is one way that organizations--either in the 
private sector or the government--can meet their responsibility for 
keeping the public informed of how their personal information is being 
used and who has access to it. Equally important is the accountability 
principle, which states that individuals controlling the collection or 
use of personal information should be accountable for taking steps to 
ensure the implementation of the other principles, such as use 
limitation and security safeguards. Public disclosure of data breaches 
is a key step in ensuring that organizations are held accountable for 
the protection of personal information. 

Concerns Have Been Raised About the Criteria for Issuing Notices to the 
Public: 

Although the principle of notifying affected individuals (or the 
public) about data breaches has clear benefits, determining the 
specifics of when and how an agency should issue such notifications 
presents challenges, particularly in determining the specific criteria 
for incidents that merit notification. In congressional testimony, the 
Federal Trade Commission[Footnote 22] raised concerns about the 
threshold for which consumers should be notified of a breach, 
cautioning that too strict a standard could have several negative 
effects. First, notification of a breach when there is little or no 
risk of harm might create unnecessary concern and confusion. Second, a 
surfeit of notices, resulting from notification criteria that are too 
strict, could render all such notices less effective, because consumers 
could become numb to them and fail to act when risks are truly 
significant. Finally, the costs to both individuals and business are 
not insignificant and may be worth considering. The FTC points out 
that, in response to a security breach notification, a consumer may 
cancel credit cards, contact credit bureaus to place fraud alerts on 
credit files, or obtain a new driver's license number. These actions 
could be time-consuming for the individual and costly for the companies 
involved. Given these potential negative effects, care is clearly 
needed in defining appropriate criteria for required breach 
notifications. 

While care needs to be taken to avoid requiring agencies to notify the 
public of trivial security incidents, concerns have also been raised 
about setting criteria that are too open-ended or that rely too heavily 
on the discretion of the affected organization. Some public advocacy 
groups have cautioned that notification criteria that are too weak 
would give companies an incentive not to disclose potentially harmful 
breaches. This concern could also apply to federal agencies. In 
congressional testimony last year, the executive director of the Center 
for Democracy and Technology argued that if an entity is not certain 
whether a breach warrants notification, it should be able to consult 
with the Federal Trade Commission.[Footnote 23] He went on to suggest 
that a two-tiered system may be desirable, with notice to the Federal 
Trade Commission of all breaches of personal data and notice to 
consumers where there is a potential risk of identity theft. The Center 
for Democracy and Technology's comments regarding the Federal Trade 
Commission were aimed at commercial entities such as information 
resellers. A different entity--such as OMB, which is responsible for 
overseeing security and privacy within the federal government--might be 
more appropriate to take on a parallel role with respect to federal 
agencies. 

Effective Notices Should Provide Useful Information and Be Easy to 
Understand: 

Once a determination has been made that a public notice is to be 
issued, care must be taken to ensure that it does its job effectively. 
Designing useful, easy-to-understand notices has been cited as a 
challenge in other areas where privacy notices are required by law, 
such as in the financial industry--where businesses are required by the 
Gramm-Leach-Bliley Act to send notices to consumers about their privacy 
practices--and in the federal government, which is required by the 
Privacy Act to issue public notices in the Federal Register about its 
systems of records containing personal information. For example, as 
noted during a public workshop hosted by the Department of Homeland 
Security's Privacy Office, designing easy-to-understand consumer 
financial privacy notices to meet Gramm-Leach Bliley Act requirements 
has been challenging. Officials from the FTC and Office of the 
Comptroller of the Currency described widespread criticism of these 
notices--that they were unexpected, too long, filled with legalese, and 
not understandable. 

If an agency is to notify people of a data breach, it should do so in 
such a way that they understand the nature of the threat and what steps 
need to be taken to protect themselves against identity theft. In 
connection with its state law requiring security breach notifications, 
the California Office of Privacy Protection has published recommended 
practices for designing and issuing security breach notices.[Footnote 
24] The office recommends that such notifications include, among other 
things, 

* a general description of what happened; 

* the type of personal information that was involved; 

* what steps have been taken to prevent further unauthorized 
acquisition of personal information; 

* the types of assistance to be provided to individuals, such as a toll-
free contact telephone number for additional information and 
assistance; 

* information on what individuals can do to protect themselves from 
identity theft, including contact information for the three credit 
reporting agencies; and: 

* information on where individuals can obtain additional information on 
protection against identity theft, such as the Federal Trade 
Commission's Identity Theft Web site (www.consumer.gov/idtheft). 

* The California Office of Privacy Protection also recommends making 
notices clear, conspicuous, and helpful, by using clear, simple 
language and avoiding jargon and suggests avoiding using a standardized 
format to mitigate the risk that the public will become complacent 
about the process. 

* The Federal Trade Commission has issued guidance to businesses on 
notifying individuals of data breaches that reiterates several key 
elements of effective notification--describing clearly what is known 
about the data compromise, explaining what responses may be appropriate 
for the type of information taken, and providing information and 
contacts regarding identity theft in general. The Commission also 
suggests providing contact information for the law enforcement officer 
working on the case as well as encouraging individuals who discover 
that their information has been misused to file a complaint with the 
Commission.[Footnote 25] 

* Both the state of California and the Federal Trade Commission 
recommend consulting with cognizant law-enforcement officers about an 
incident before issuing notices to the public. In some cases, early 
notification or disclosure of certain facts about an incident could 
hamper a law enforcement investigation. For example, an otherwise 
unknowing thief could learn of the potential value of data stored on a 
laptop computer that was originally stolen purely for the value of the 
hardware. Thus it is recommended that organizations consult with law 
enforcement regarding the timing and content of notifications. However, 
law enforcement investigations should not necessarily result in lengthy 
delays in notification. California's guidance states that it should not 
be necessary for a law enforcement agency to complete an investigation 
before notification can be given. 

* During a recent public workshop on "Transparency and Accountability: 
The Use of Personal Information within the Government," hosted by the 
DHS Privacy Office, a panelist discussed the concept of "layering" 
notices to foster greater understanding and comprehension by consumers. 
Layering involves providing only the most important summary facts up 
front--often in a graphically oriented format--followed by one or more 
lengthier, more narrative versions in order to ensure that all 
information is communicated that needs to be. The panelist noted the 
pros and cons of lengthy, detailed notices versus brief, easier-to- 
understand notices. Specifically, long notices have the advantage of 
being complete, but this is often at a cost of not being easy to 
understand, while brief, easier-to-understand notices may not capture 
all the detail that needs to be conveyed. Multilayered notices were 
cited as an option to achieving an easy-to-understand yet complete 
notice. 

* In addition, DHS workshop panelists from the Federal Trade Commission 
and the Office of the Comptroller of the Currency discussed the major 
findings of an interagency research project[Footnote 26] concerning the 
design of easy-to-understand consumer financial privacy notices. The 
study found, among other things, that providing context to the notice 
(explaining to consumers why they are receiving the notice and what to 
do with it) was key to comprehension, and that comprehension was aided 
by incorporating key visual design elements, such as use of a tabular 
format, large and legible fonts, and appropriate use of white space and 
simple headings. 

* Although these panel discussions were not focused on notices to 
inform the public of data breaches, the multilayered approach discussed 
and findings from the interagency research project can be applied to 
such notices. For example, a multilayered security breach notice could 
include a brief description of the nature of the security breach, the 
potential threat to victims of the incident, and measures to be taken 
to protect against identity theft. The notice could provide additional 
details about the incident as an attachment or by providing links to 
additional information. This would accomplish the purpose of 
communicating the key details in a brief format, while still providing 
complete information to those who require it. Given that people may be 
adversely affected by a compromise of their personal information, it is 
critical that they fully understand the nature of the threat and the 
options they have to address it. 

In summary, agencies can take a number of actions to help guard against 
the possibility that databases of personally identifiable information 
are inadvertently compromised, among which developing PIAs and ensuring 
that a robust information security program is in place are key. More 
specific practical measures aimed at preventing inadvertent data 
breaches include limiting the collection of personal information, 
limiting data retention, limiting access to personal information and 
training personnel accordingly, and considering using technological 
controls such as encryption when data need to be stored on mobile 
devices. Nevertheless, data breaches can still occur at any time, and 
when they do, notification to the individuals affected and/or the 
public has clear benefits, allowing people the opportunity to take 
steps to protect themselves against the dangers of identity theft. Care 
is needed in defining appropriate criteria if agencies are to be 
required to report security breaches to the public. Further, care is 
also needed to ensure that notices are useful and easy-to-understand so 
that they are effective in alerting individuals to actions they may 
want to take to minimize the risk of identity theft. 

As Congress considers legislation requiring agencies to notify 
individuals or the public about security breaches, it should ensure 
that specific criteria are defined for incidents that merit public 
notification. It may want to consider creating a two-tier reporting 
requirement, in which all security breaches are reported to OMB, and 
affected individuals are notified only of incidents involving 
significant risk. Further, Congress should consider requiring OMB to 
provide guidance to agencies on how to develop and issue security 
breach notices to affected individuals. 

Mr. Chairman, this concludes my testimony today. I would happy to 
answer any questions you or other members of the committee may have. 

Contacts and Acknowledgements: 

If you have any questions concerning this testimony, please contact 
Linda Koontz, Director, Information Management, at (202) 512-6240, or 
koontzl@gao.gov. Other individuals who made key contributions include 
Idris Adjerid, Barbara Collier, John de Ferrari, David Plocher, and 
Jamie Pressman. 

Attachment I: Selected GAO Products Related to Privacy Issues: 

Privacy: Key Challenges Facing Federal Agencies. GAO-06-777T. 
Washington, D.C.: May 17, 2006. 

Personal Information: Agencies and Resellers Vary in Providing Privacy 
Protections. GAO-06-609T. Washington, D.C.: April 4, 2006. 

Personal Information: Agency and Reseller Adherence to Key Privacy 
Principles. GAO-06-421. Washington, D.C.: April 4, 2006. 

Information Security: Federal Agencies Show Mixed Progress In 
Implementing Statutory Requirements. GAO-06-527T. Washington, D.C.: 
March 16, 2006. 

Information Security: Department of Health and Human Services Needs to 
Fully Implement Its Program. GAO-06-267. Washington, D.C.: February 24, 
2006. 

Data Mining: Agencies Have Taken Key Steps to Protect Privacy in 
Selected Efforts, but Significant Compliance Issues Remain. GAO-05-866. 
Washington, D.C.: August 15, 2005. 

Aviation Security: Transportation Security Administration Did Not Fully 
Disclose Uses of Personal Information during Secure Flight Program 
Testing in Initial Privacy Notices, but Has Recently Taken Steps to 
More Fully Inform the Public. GAO-05-864R. Washington, D.C.: July 22, 
2005. 

Information Security: Weaknesses Persist at Federal Agencies Despite 
Progress Made in Implementing Related Statutory Requirements. GAO-05- 
552. Washington, D.C.: July 15, 2005. 

Identity Theft: Some Outreach Efforts to Promote Awareness of New 
Consumer Rights are Under Way. GAO-05-710. Washington, D.C.: June 30, 
2005. 

Information Security: Department of Homeland Security Needs to Fully 
Implement Its Security Program. GAO-05-700. Washington, D.C.: June 17, 
2005. 

Electronic Government: Federal Agencies Have Made Progress Implementing 
the E-Government Act of 2002. GAO-05-12. Washington, D.C.: December 10, 
2004. 

Social Security Numbers: Governments Could Do More to Reduce Display in 
Public Records and on Identity Cards. GAO-05-59. Washington, D.C.: 
November 9, 2004. 

Federal Chief Information Officers: Responsibilities, Reporting 
Relationships, Tenure, and Challenges, GAO-04-823. Washington, D.C.: 
July 21, 2004. 

Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-04-548. 
Washington, D.C.: May 4, 2004. 

Privacy Act: OMB Leadership Needed to Improve Agency Compliance. GAO- 
03-304. Washington, D.C.: June 30, 2003. 

Data Mining: Results and Challenges for Government Programs, Audits, 
and Investigations. GAO-03-591T. Washington, D.C.: March 25, 2003. 

Technology Assessment: Using Biometrics for Border Security. GAO-03- 
174. Washington, D.C.: November 15, 2002. 

Information Management: Selected Agencies' Handling of Personal 
Information. GAO-02-1058. Washington, D.C.: September 30, 2002. 

Identity Theft: Greater Awareness and Use of Existing Data Are Needed. 
GAO-02-766. Washington, D.C.: June 28, 2002. 

Social Security Numbers: Government Benefits from SSN Use but Could 
Provide Better Safeguards. GAO-02-352. Washington, D.C.: May 31, 2002. 

Attachment 2: The Fair Information Practices: 

The Fair Information Practices are not precise legal requirements. 
Rather, they provide a framework of principles for balancing the need 
for privacy with other public policy interests, such as national 
security, law enforcement, and administrative efficiency. Ways to 
strike that balance vary among countries and according to the type of 
information under consideration. The version of the Fair Information 
Practices shown in table 1 was issued by the Organization for Economic 
Cooperation and Development (OECD) in 1980[Footnote 27] and has been 
widely adopted. 

Table 1: The Fair Information Practices: 

Principle: Collection limitation; 
Description: The collection of personal information should be limited, 
should be obtained by lawful and fair means, and, where appropriate, 
with the knowledge or consent of the individual. 

Principle: Data quality; 
Description: Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and current as 
needed for that purpose. 

Principle: Purpose specification; 
Description: The purposes for the collection of personal information 
should be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and compatible 
purposes. 

Principle: Use limitation; 
Description: Personal information should not be disclosed or otherwise 
used for other than a specified purpose without consent of the 
individual or legal authority. 

Principle: Security safegaurds; 
Description: Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized access, 
destruction, use, modification, or disclosure. 

Principle: Openness; 
Description: The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning about 
the use of personal information. 

[End of table] 

[End of Section] 

FOOTNOTES 

[1] For purposes of this testimony, the term personal information 
encompasses all information associated with an individual, including 
both identifiable and nonidentifying information. Personally 
identifiable information, which can be used to locate or identify an 
individual, includes such things as names, aliases, and Social Security 
numbers. Nonidentifying personal information includes such things as 
age, education, finances, criminal history, physical attributes, and 
gender. 

[2] GAO, Personal Information: Agency and Reseller Adherence to Key 
Privacy Principles, GAO-06-421, (Washington: D.C.: Apr. 4, 2006). 

[3] Under the Privacy Act of 1974, the term "routine use" means (with 
respect to the disclosure of a record) the use of such a record for a 
purpose that is compatible with the purpose for which it was collected. 
5 U.S.C. § 552a(a)(7). 

[4] Office of Management and Budget, Safeguarding Personally 
Identifiable Information, M-06-15 (Washington, D.C.: May 22, 2006). 

[5] Congress used the committee's final report as a basis for crafting 
the Privacy Act of 1974. See U.S. Department of Health, Education, and 
Welfare, Records, Computers and the Rights of Citizens: Report of the 
Secretary's Advisory Committee on Automated Personal Data Systems 
(Washington, D.C.: July 1973). 

[6] Office of Management and Budget, OMB Guidance for Implementing the 
Privacy Provisions of the E-Government Act of 2002, M-03-22 
(Washington, D.C.: Sept. 26, 2003). 

[7] The E-Government Act requires agencies, if practicable, to make 
privacy impact assessments publicly available through agency Web sites, 
publication in the Federal Register, or by other means. Pub. L. 107- 
347, § 208(b)(1)(B)(iii). 

[8] FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 (Dec. 
17, 2002). 

[9] At least one agency has developed its own requirement for breach 
notification. Specifically, the Department of Defense instituted a 
policy in July 2005 requiring notification to affected individuals when 
protected personal information is lost, stolen, or compromised. 

[10] Information resellers are companies that collect information, 
including personal information about consumers, from a wide variety of 
sources for the purpose of reselling such information to their 
customers, which include both private-sector businesses and government 
agencies. For additional information, see GAO-06-421. 

[11] States that have enacted breach notification laws include Arizona, 
Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho, 
Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, 
Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, 
Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Washington, 
and Wisconsin. 

[12] H.R. 4127; introduced by Representative Clifford B. Stearns on 
October 25, 2005. 

[13] S. 751; introduced by Senator Dianne Feinstein on April 11, 2005. 

[14] See, for example, GAO, Information Security: Department of Health 
and Human Services Needs to Fully Implement Its Program, GAO-06-267 
(Washington, D.C.: February 24, 2006) and Information Security: 
Department of Homeland Security Needs to Fully Implement Its Security 
Program, GAO-05-700 (Washington, D.C.: June 17, 2005). 

[15] GAO, Data Mining: Agencies Have Taken Key Steps to Protect Privacy 
in Selected Efforts, but Significant Compliance Issues Remain, GAO-05- 
866 (Washington, D.C.: Aug. 15, 2005). 

[16] GAO-06-421, pp. 59-61. 

[17] GAO, Information Security: Weaknesses Persist at Federal Agencies 
Despite Progress Made in Implementing Related Statutory Requirements, 
GAO-05-552 (Washington, D.C.: July 15, 2005). 

[18] GAO, Information Security: Federal Agencies Show Mixed Progress In 
Implementing Statutory Requirements, GAO-06-527T (Washington, D.C.: 
March 16, 2006). 

[19] State of California Department of Consumer Affairs, Recommended 
Practices on Notice of Security Breach Involving Personal Information 
(April 2006), p. 6. 

[20] Synovate, Federal Trade Commission Identity Theft Survey Report 
(McLean, Va.: September 2003). 

[21] Federal Trade Commission, Prepared Statement of the Federal Trade 
Commission Before the Committee on Commerce, Science, and 
Transportation, U.S. Senate, on Data Breaches and Identity Theft 
(Washington, D.C.: June 16, 2005), p. 10. 

[22] Federal Trade Commission, Prepared Statement on Data Breaches and 
Identity Theft, p. 10. 

[23] Center for Democracy and Technology, Securing Electronic Personal 
Data: Striking a Balance between Privacy and Commercial and Government 
Use (Apr. 13, 2005), p. 7. 

[24] State of California, Recommended Practices on Notice of Security 
Breach. 

[25] Federal Trade Commission, Information Compromise and the Risk of 
Identity Theft: Guidance for Your Business (June 2004). 

[26] Kleimann Communication Group, Inc., Evolution of a Prototype 
Financial Privacy Notice: A Report on the Form Development Project 
(Feb. 28, 2006). 

[27] OECD, Guidelines on the Protection of Privacy and Transborder Flow 
of Personal Data (Sept. 23, 1980). The OECD plays a prominent role in 
fostering good governance in the public service and in corporate 
activity among its 30 member countries. It produces internationally 
agreed-upon instruments, decisions, and recommendations to promote 
rules in areas where multilateral agreement is necessary for individual 
countries to make progress in the global economy.

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: