Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Non-Technical Privacy Breach Example & Possible HIPAA Violation: Medical Information Printed on Back of Wal-Mart Fliers | Main | Study Shows Most Businesses and Virtually All Households Do Not Destroy Discarded Personal Information »

Government Report on Privacy Breaches in Agencies

Last Friday (10/13) the U.S. Government Reform Committee released a report on the adequacy of the government's agency security practices, "STAFF REPORT AGENCY DATA BREACHES SINCE JANUARY 1, 2003."

The report discusses incidents within all the government agencies involving the loss or compromise of any sensitive personal information held by an agency or a contractor since January 1, 2003.

An important point made by the report is that, even though the agencies possess tremendous volumes of personal data, there is no requirement for any of the agencies to report breaches to the public, or even to the impacted individuals.  It seems that they should also have to abide by the existing state level breach notification laws, doesn't it?

"Legislation authored by Committee Chairman Tom Davis and included in the House passed Veterans Identity and Credit Security Act of 2006 (Veterans Identity and Credit Security Act of 2006) would change that."

Actually it appears as though this proposed bill would only apply to the Veterans Affairs agency.  A privacy breach notification, and actually a more encompassing data protection, bill is needed that applies to all organizations, government, public, private, non-profit, and any others that handle personally identifiable information (PII).

The report makes clear that the amount and types of responses from the agencies regarding their incidents varied greatly, so that this report cannot be considered as comprehensive.  However, there are certainly some very interesting statistics and breach examples found within it.  The four conclusions of the report were:

"1. Data loss is a government-wide occurrence.
All 19 Departments and agencies reported at least one loss of personally identifiable information since January 2003. This is not a problem that is restricted to the Department of Veterans Affairs or any other single agency.

2. Agencies do not always know what has been lost.
The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.”

3. Physical security of data is essential.
Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.

4. Contractors are responsible for many of the reported breaches.
Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors."

The report then goes on to detail the reported privacy breaches within each of the agencies.  It is quite interesting!  Many incidents that have not previously been reported.

The report concludes:

"Taken as a whole, the agency reports outline hundreds of instances of data breaches involving sensitive personal information since January 1, 2003. The reports show a wide range of incidents, involving employee carelessness, contractor misconduct, and third-party thefts. The number of individuals affected in each incident ranges from one to millions. However, in many cases, the agency does not know what information was lost or how many individuals potentially could be affected. Few of these incidents have been reported publicly, and it is unclear in many cases whether affected individuals have been notified or whether remedial action has been taken.

Data held by Federal agencies remains at risk.  In many cases, agencies do not know what information they have, who has access to the information, and what devices containing information have been lost, stolen, or misplaced. In addition, in almost all of the reported cases, Congress and the public would not have learned of each event unless the Committee had requested this information.

Finally, each year, the Committee releases information security scorecards. This year the scores for many departments remained low or dropped precipitously. The federal government overall received a D+."

Technorati Tags







 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 17, 2006 3:05 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/206

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.