Members of the Senate Homeland Security and Governmental Affairs Committee have said they will press OMB to update guidance on responding to data breaches involving personally identifiable information, and for agencies to make improvements to their existing response procedures.
Data breaches increased to 22,156 in fiscal 2012, an increase of 111 percent over 2009, and after looking at eight agencies GAO concluded agency response to breaches of PII need to be far more consistent.
It also found that DHS’s role of collecting information and providing assistance on PII breaches, as currently defined by federal law and policy, has provided few benefits. For example, OMB’s guidance to agencies requires them to report each PII-related breach to DHS’s U.S. Computer Emergency Readiness Team, US-CERT, within one hour of discovery. However, complete information from most incidents can take days or months to compile; therefore preparing a meaningful report within one hour can be infeasible, according to GAO-14-34.
Committee chair Tom Carper, D-Del., ranking member Tom Coburn, R-Okla., and former committee chair Susan Collins, R-Maine, said they would work toward a more consistent application of improved guidance.
Said Coburn: “I will continue to work my colleagues on both sides of the aisle to prevent these types of incidents from happening in the first place, as well as reintroduce legislation that I have championed for several years, most recently with Senator Roy Blunt, R-Mo., that would help put better measures in place to ensure that businesses, federal agencies, and others that hold sensitive information respond swiftly and effectively to protect consumers in the unfortunate event of a breach.”
Coburn said he would try to work with the administration in making changes to improve notification practices, while Collins called on OMB to “improve its guidance addressing these breaches when they do occur and work with agencies to improve their response.”
