FEDweek IT

Data breaches increased to 22,156 in fiscal 2012, an increase of 111 percent over 2009, and agency responses to breaches of personally identifiable information need to be more consistent, GAO has said after reviewing practices at eight agencies.

It said the agencies generally developed, but inconsistently implemented, policies and procedures for responding to a data breach involving personally identifiable information – PII, and that address key practices specified by OMB and the National Institute of Standards and Technology.

The agencies that GAO reviewed generally addressed key management and operational practices in their policies and procedures, although three agencies had not fully addressed all key practices, according to GAO-14-34.

For example, it said the Army, VA, and the Federal Deposit Insurance Corporation had not documented how risk levels had been determined and the Army had not offered credit monitoring consistently.

Further, none of the agencies reviewed consistently documented the evaluation of incidents and resulting lessons learned. Incomplete guidance from OMB contributed to this inconsistent implementation.

GAO made some 23 recommendations to OMB to update its guidance on federal agencies’ response to a data breach and to specific agencies to improve their response to data breaches involving PII.