Federal agencies need to enhance their responses to data breaches, GAO told the Senate Homeland Security and Governmental Affairs Committee recently.
It said the number of reported information security incidents involving personally identifiable information – PII, has more than doubled over the last several years. It also said agency responses to PII data breaches are inconsistent and in need of improvement.
It also said implementation of key practices called for by OMB and NIST have been inconsistent. (Just two agencies notified affected individuals for all high-risk breaches, and none consistently documented lessons learned from their breach responses, according to GAO-14-487T.)
Committee chair Tom Carper, D-Del., noted that Congress could put in place a broad framework to standardize how breaches are handled. For example, he called for passage of the Data Security Act of 2014, which would require a uniform national notification standard for
