Skip to main content

Privacy: Lessons Learned about Data Breach Notification

GAO-07-657 Published: Apr 30, 2007. Publicly Released: Apr 30, 2007.
Jump To:
Skip to Highlights


A May 2006 data breach at the Department of Veterans Affairs (VA) and other similar incidents since then have heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding effectively to a breach that poses privacy risks. GAO's objective was to identify lessons learned from the VA data breach and other similar federal data breaches regarding effectively notifying government officials and affected individuals about data breaches. To address this objective, GAO analyzed documentation and interviewed officials at VA and five other agencies regarding their responses to data breaches and their progress in implementing standardized data breach notification procedures. The cases at the other agencies were chosen because, like the VA case, they involved loss or theft of computing equipment and relatively large numbers of affected individuals (10,000 or more).


Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should develop guidance for federal agencies on conducting risk analyses to determine when to offer credit monitoring and when to contract for an alternative form of monitoring, such as data breach monitoring, to assist individuals at risk of identity theft as a result of a federal data breach.
Closed – Not Implemented
In written comments on our report, the Administrator, Office of E-Government and Information Technology, Office of Management and Budget (OMB), stated that the office concurred with our recommendation. OMB's stated position was that further guidance and a risk-based framework would be sufficient to enable federal agencies to determine the appropriate response to a federal data breach commensurate with the level of risk of identify theft. On May 22, 2007, OMB issued guidance--Safeguarding Against and Responding to the Breach of Personally Identifiable Information--that is consistent with its stated position and offers a general framework for a risk-based response to data breaches. However, this document does not provide guidance to agencies specifically on when to offer credit monitoring or when to contract for an alternative form of monitoring, such as data breach monitoring, to assist individuals at risk of identity theft. As of August 2011, OMB has not revised this guidance or created new guidance to address when to offer credit monitoring or other services to individuals.

Full Report

GAO Contacts

Office of Public Affairs


Computer securityComputer security incidentsIdentity theftInformation securityInformation technologyLarcenyLessons learnedMonitoringPolicy evaluationPrivacy lawRight of privacySecurity policies