A Closer Look at Privacy as a High Risk Area - When Advancing Technology Meets Increasing Concerns

Posted on May 19, 2015

From online health care exchanges to mobile device location data, the privacy of personally identifiable information (PII) is a major concern when it comes to information technology. Today, we take a closer look at the privacy of PII, and why we added it as a key component of one of our longstanding High Risk areas—federal cybersecurity.

More Data, More Security Breaches

Advances in technology, such as new search technology and data analytics software for searching and collecting information, have allowed both government and private sector entities to collect and process extensive amounts of PII more easily.

As the amount of PII collected has grown, so has the threat of security breaches. We have found that the reported number of security incidents involving PII at federal agencies has increased significantly, as shown below.

GAO-15-290

(Excerpted from GAO-15-290)

In addition, recent high-profile breaches of PII have heightened concerns that personal privacy is not being adequately protected. For example,

  • a cyber attack on the Office of Personnel Management’s system for maintaining security clearance information last March may have exposed the PII of thousands of federal employees.
  • hackers stole credit and debit card information for 40 million Target customers in November and December 2013.

Multiple Threats to Privacy

Revelations about the extent to which private companies collect detailed information about people’s activities have raised concerns about the potential for significant erosion of personal privacy. For example, consumers may be unaware of how third parties can share and use smartphone location data, potentially putting people at risk of identity theft or other harm.

Your personal information that the federal government exchanges, collects, and uses is protected by the Privacy Act of 1974 and the E-Government Act of 2002, as well as federal guidance that requires government agencies to safeguard your PII. However, modern technology has rendered some of the provisions of the Privacy Act of 1974 inadequate to fully protect all PII. Further, federal agencies inconsistently notified individuals affected by high-risk data breaches.

Rogue entities may also threaten your privacy. For example, mobile devices may be vulnerable to malicious software applications that can threaten privacy by

  • accessing location and other sensitive information,
  • initiating telephone calls, or
  • activating the device’s microphone or camera to surreptitiously record information.

What’s Next?

PII remains at risk and improved protections are needed to ensure the privacy of information collected by the government and private sector.

As legislation in cybersecurity continues to expand, Congress should also consider amending applicable laws, such as the Privacy Act, to more fully protect PII and also ensure a consistent approach to implementing privacy controls.

For more, read our post on federal cybersecurity or listen to our podcast on the contractors responsible for protecting federal systems and information:


•    Questions on the content of this post? Contact Greg Wilshusen at wilshuseng@gao.gov.
•    Comments on GAO’s WatchBlog? Contact blog@gao.gov.

GAO Contacts