Privacy: Lessons Learned about Data Breach Notification 	 
(30-APR-07, GAO-07-657).					 
                                                                 
A May 2006 data breach at the Department of Veterans Affairs (VA)
and other similar incidents since then have heightened awareness 
of the importance of protecting computer equipment containing	 
personally identifiable information and responding effectively to
a breach that poses privacy risks. GAO's objective was to	 
identify lessons learned from the VA data breach and other	 
similar federal data breaches regarding effectively notifying	 
government officials and affected individuals about data	 
breaches. To address this objective, GAO analyzed documentation  
and interviewed officials at VA and five other agencies regarding
their responses to data breaches and their progress in		 
implementing standardized data breach notification procedures.	 
The cases at the other agencies were chosen because, like the VA 
case, they involved loss or theft of computing equipment and	 
relatively large numbers of affected individuals (10,000 or	 
more).								 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-657 					        
    ACCNO:   A68865						        
  TITLE:     Privacy: Lessons Learned about Data Breach Notification  
     DATE:   04/30/2007 
  SUBJECT:   Computer security					 
	     Computer security incidents			 
	     Identity theft					 
	     Information security				 
	     Information technology				 
	     Larceny						 
	     Lessons learned					 
	     Monitoring 					 
	     Policy evaluation					 
	     Privacy law					 
	     Right of privacy					 
	     Security policies					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-657

   

     * [1]Report to Congressional Requesters

          * [2]April 2007

     * [3]PRIVACY

          * [4]Lessons Learned about Data Breach Notification

     * [5]Contents

          * [6]Conclusions
          * [7]Recommendation for Executive Action
          * [8]Agency Comments and Our Evaluation

     * [9]Briefing to Staff of Congressional Requesters
     * [10]Comments from the Office of Management and Budget
     * [11]Comments from the Department of Veterans Affairs
     * [12]GAO Contact and Staff Acknowledgments

Report to Congressional Requesters

April 2007

PRIVACY

Lessons Learned about Data Breach Notification

Contents

April 30, 2007

Letter

Congressional Requesters

In May 2006, the Department of Veterans Affairs (VA) announced that
computer equipment containing personally identifiable information (PII)^1
on approximately 26.5 million veterans and active duty members of the
military was stolen from the home of a VA employee. Until the equipment
was recovered, veterans did not know whether their information was likely
to be misused. In addition to concerns about protecting personal
information, the incident highlighted unclear policy about security breach
notification procedures. The VA data breach coupled with recent reports of
other federal data breach incidents have heightened awareness of the need
for agencies to be prepared to effectively respond to a breach that poses
privacy risks.

While existing laws generally do not require agencies to notify affected
individuals of data breaches, such notification appears to be consistent
with agencies' responsibilities under the Privacy Act of 1974 and promotes
accountability for privacy protection.^2 When data breaches occur,
notification has clear benefits such as allowing the affected individuals
the opportunity to take steps to protect themselves from identity theft or
other misuse of their personal information.

However, as we noted in June 2006, public notification of data breaches
presents challenges as well as benefits.^3 Determining the specific
criteria for incidents that merit notification involves these important
considerations:

oNotification of a breach when there is little or no risk of harm might
create unnecessary concern and confusion.

oSending too many notices, based on overly strict criteria, could render
all such notices less effective, because consumers could become
desensitized to them and fail to act when risks are truly significant.

oThe costs associated with notification are not insignificant for either
agencies or individuals.

As agreed with the requesters' staff, our objective was to identify
lessons learned from the VA data breach and other similar federal data
breaches regarding effectively notifying government officials and affected
individuals about data breaches.

To address our objective, we analyzed documentation capturing lessons
learned from VA's data breach, including reports on actions taken and
planned to address the data breach and to protect personal information. We
interviewed VA officials regarding how they decided to address data breach
notification and their plans and progress in implementing standardized
data breach notification procedures. We also analyzed current federal
guidance on data breach notification procedures and interviewed cognizant
officials about the guidance. In addition, we examined similar data breach
cases at five other agencies--the Departments of Agriculture, Defense,
Education, Health and Human Services (HHS), and Transportation--to
determine their notification practices and lessons learned regarding how
and when to notify affected individuals or the public. These cases were
chosen because, like the VA case, they involved relatively large numbers
of affected individuals (10,000 or more) and also involved circumstances
similar to VA's--the loss or theft of computing equipment containing PII.
The cases at Agriculture, Education, and HHS involved data breaches of
information held by contractors. We conducted our review in accordance
with generally accepted government auditing standards from August 2006
through February 2007.

On March 9, 2007, we provided staff of requesters with a briefing on the
results of our study. The slides from that briefing, with minor technical
clarifications, are included as appendix I of this report. The purpose of
this report is to provide the published briefing slides to you and to
officially transmit our recommendation to the Office of Management and
Budget (OMB).

In summary, based on the experience of VA and other federal agencies in
responding to data breaches, we identified the following lessons learned
regarding how and when to notify government officials, affected
individuals, and the public:

oRapid internal notification of key government officials is critical.
Internal delays prevented key VA officials, including the Secretary, from
being aware of the data breach until as long as two weeks after it
occurred. Because of these delays, the department's decision about how to
respond was also delayed. As a result, affected individuals were denied
the opportunity to take prompt steps to protect themselves against the
dangers of identity theft. Prompt internal notification would help ensure
that future data breaches are addressed promptly, maximizing the
opportunity for affected individuals to effectively take precautions.

oBecause incidents vary, a core group of senior officials should be
designated to make decisions regarding an agency's response. In the VA
incident, a variety of key decisions needed to be made including, what
information had been compromised and what risks the theft posed, and how
affected individuals should be notified. Cognizant officials at VA were
initially unsure about who should be involved in decision making about the
incident. Establishment of core management groups within agencies that can
be convened in the event of a breach to evaluate the situation and guide
the agency's response should help ensure that future data breaches are
addressed consistently.

oMechanisms must be in place to obtain contact information for affected
individuals. VA and other agencies faced challenges in identifying
addresses for all individuals affected by their data breaches. If proper
public notices as required by the Privacy Act are made in advance, key
agencies will more likely be in a better position to assist in responding
to data breaches by providing address or other contact information to
affected agencies.

oDetermining when to offer credit monitoring to affected individuals
requires risk-based management decisions. Agencies have made varying
decisions about how and when to offer credit monitoring. As a result,
affected individuals may not always receive a consistent level of support
from the federal government when their personal information is
compromised. Until guidance is available to promote consistent decision
making by federal agencies, protections offered to affected individuals
are likely to remain inconsistent.

oInteraction with the public requires careful coordination and can be
resource-intensive. VA invested substantially in facilities to help
address follow-on inquiries and provide information to support affected
individuals after notifications were issued to affected individuals. Other
agencies have also taken a variety of actions to establish call centers to
interact with the public.

oInternal training and awareness are critical to timely breach response,
including notification. The slow response to the May 2006 VA incident
highlighted the need for personnel to be more aware of the agency's
privacy and security procedures, including incident response and reporting
procedures. Because a prompt response is critical, agency personnel must
be prepared in advance with an understanding of their roles and
responsibilities in responding to a data breach.

oContractor responsibilities for data breaches should be clearly defined.
While the VA data breach did not involve contractors, the issue of
contractor responsibilities has figured prominently in three other recent
incidents (at Agriculture, Education, and HHS).  Contractor obligations
for taking steps, such as notifying affected individuals or providing
credit monitoring, may be unclear unless specified in the contract.

These lessons have largely been addressed in guidance from OMB, which is
responsible for overseeing security and privacy within the federal
government. However, guidance to assist agency officials in making
consistent risk-based determinations about when to offer credit monitoring
or other protection services has not been developed. Without such
guidance, agencies could make inconsistent decisions about what
protections to offer affected individuals, potentially leaving some more
vulnerable than others.

Conclusions

VA's data breach of May 2006 and other recent federal data breaches
provide valuable lessons learned for agencies about responding to such
incidents. Key government officials need to be informed promptly, and a
designated group of agency officials must be ready to make prompt
decisions about notification, which can be challenging if address
information is not readily available. Careful planning is needed to be
able to interact effectively with the public, training and awareness are
critical, and contractor roles and responsibilities must be defined.

To its credit, OMB responded to the VA data breach by issuing guidance and
forwarding recommendations by the ID Theft Task Force that largely address
these lessons. However, the issue of how to make risk-based determinations
on when to offer credit monitoring and when to contract for an alternative
form of monitoring, such as data breach monitoring, has not been addressed
in guidance. Without such guidance, agencies are likely to continue to
make inconsistent decisions about what protections to offer affected
individuals.

Recommendation for Executive Action

We recommend that the Director of OMB develop guidance for federal
agencies on conducting risk analyses to determine when to offer credit
monitoring and when to contract for an alternative form of monitoring,
such as data breach monitoring, to assist individuals at risk of identity
theft as a result of a federal data breach.

Agency Comments and Our Evaluation

We received written comments on a draft of this report from OMB
Administrator of the Office of E-Government and Information Technology and
from the Secretary of Veterans Affairs. (These written comments are
reproduced in apps. II and III.) OMB agreed with our recommendation and
noted that while it is important that individuals receive consistent
responses and levels of support from federal agencies, the same response
or type of support will not be appropriate in every situation. We agree
that appropriate responses must be tailored to address the circumstances
of the breach and believe additional guidance from OMB can facilitate
consistent agency decision making about such responses. In addition, OMB
commented that our definition of PII is similar to one it has used and
noted that its definition of PII is likely to be revised in the future.
However, we believe the definition we have used is appropriate for the
material discussed in this report.

In written comments on the draft of this report, the Secretary of VA
agreed with our findings and our recommendation to OMB. The Secretary also
stated that VA is finalizing its new data breach regulation that
implements the Veterans Benefits, Health Care, and Information Technology
Act of

2006, Public Law 109-461.^4 This act requires VA to issue interim
regulations for the provision of certain services, including notification,
in the event that a data breach of veterans' sensitive personal
information results in a determination that a reasonable risk exists for
the potential misuse of the information.

We are sending copies of this report to interested congressional
committees; the Secretary of Veterans Affairs; the Director, OMB; and
other interested parties. We will also make copies available to others
upon request. In addition, the report will be available at no charge on
the GAO Web site at [13]w  ww.gao.gov.

Should you have any questions on matters contained in this report, please
contact me at (202) 512-6240 or by e-mail at [14]k  [email protected]. GAO
staff who made major contributions to this report are included in appendix
IV.

Linda D. Koontz
Director, Information Management Issues

List of Requesters

The Honorable Harry Reid
Majority Leader
United States Senate

The Honorable Daniel K. Akaka
Chairman Committee on Veterans' Affairs
United States Senate

The Honorable Joseph I. Lieberman
Chairman
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable Bob Filner
Chairman
Committee on Veterans' Affairs
House of Representatives

The Honorable Hillary Rodham Clinton
United States Senate

The Honorable Byron L. Dorgan
United States Senate

The Honorable Patty Murray
United States Senate

The Honorable Barack Obama
United States Senate

The Honorable John D. Rockefeller, IV
United States Senate

The Honorable Ken Salazar
United States Senate

The Honorable Charles E. Schumer
United States Senate

Appendix I:  Briefing to Staff of Congressional Requesters

Appendix II:  Comments from the Office of Management and Budget

Appendix III:  Comments from the Department of Veterans Affairs

Appendix IV:  GAO Contact and Staff Acknowledgments

GAO Contact

Linda D. Koontz, (202) 512-6240

Staff Acknowledgments

In addition to the individual named above, other key contributors to the
report were John de Ferrari, Assistant Director; Michael A. Alexander; and
Nancy Glover.

(310785)

www.gao.gov/cgi-bin/getrpt?GAO-07-657 .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Linda D. Koontz at (202) 512-6240 or
[email protected].

Highlights of [16]GAO-07-657 , a report to congressional requesters

April 2007

PRIVACY

Lessons Learned about Data Breach Notification

A May 2006 data breach at the Department of Veterans Affairs (VA) and
other similar incidents since then have heightened awareness of the
importance of protecting computer equipment containing personally
identifiable information and responding effectively to a breach that poses
privacy risks. GAO's objective was to identify lessons learned from the VA
data breach and other similar federal data breaches regarding effectively
notifying government officials and affected individuals about data
breaches. To address this objective, GAO analyzed documentation and
interviewed officials at VA and five other agencies regarding their
responses to data breaches and their progress in implementing standardized
data breach notification procedures. The cases at the other agencies were
chosen because, like the VA case, they involved loss or theft of computing
equipment and relatively large numbers of affected individuals (10,000 or
more).

[17]What GAO Recommends

To better ensure that individuals who are at risk of identity theft are
offered consistent levels of support, GAO is recommending that the
Director of OMB develop guidance for agencies on when to offer credit
monitoring and when to contract for an alternative form of monitoring,
such as data breach monitoring, to assist individuals at risk of identity
theft. In written comments on a draft of this report, OMB and VA concurred
with GAO's recommendation.

Based on the experience of VA and other federal agencies in responding to
data breaches, GAO identified the following lessons learned regarding how
and when to notify government officials, affected individuals, and the
public:

           o Rapid internal notification of key government officials is
           critical.
           o Because incidents vary, a core group of senior officials should
           be designated to make decisions regarding an agency's response.
           o Mechanisms must be in place to obtain contact information for
           affected individuals.
           o Determining when to offer credit monitoring to affected
           individuals requires risk-based management decisions.
           o Interaction with the public requires careful coordination and
           can be resource-intensive.
           o Internal training and awareness are critical to timely breach
           response, including notification.
           o Contractor responsibilities for data breaches should be clearly
           defined.

These lessons have largely been addressed in guidance issued in 2006 from
the Office of Management and Budget (OMB), which is responsible for
overseeing security and privacy within the federal government. However,
guidance to assist agency officials in making consistent risk-based
determinations about when to offer credit monitoring or other protection
services has not been developed. Without such guidance, agencies are
likely to continue to make inconsistent decisions about what protections
to offer affected individuals, potentially leaving some people more
vulnerable than others.

References

Visible links
  13. http://www.gao.gov.
  14. [email protected]
  16. http://www.gao.gov/cgi-bin/getrpt?GAO-07-657
*** End of document. ***