After looking at documentation and interviewing officials at the Department of Veterans Affairs and five other agencies that each experienced incidents that compromised information on over 10,000 individuals, GAO has compiled some lessons learned regarding how and when to notify government officials, affected individuals, and the public.
It said rapid internal notification of key government officials is a critical first step, and that a core group of senior officials should be designated to formulate the agency’s response.
The report acknowledges that most of the lessons it offers have been addressed in OMB’s 2006 guidance on data breach response, but GAO said guidance to assist agency officials in making consistent risk-based determinations about when to offer credit monitoring and other protections has not been developed, something that could lead some people more vulnerable than others.
Mechanisms must be in place to obtain contact information for affected individuals, and determining when to offer credit monitoring to affected individuals requires risk-based management decisions, according to GAO-07-657.
It said interaction with the public requires careful coordination and can be resource-intensive, and that internal training and awareness are critical to timely breach response, including notification.
Contractor responsibilities for breaches should also be clearly defined, the report said.
