A U.S. Government Accountability Office (GAO) report issued Monday in response to a May 2006 data breach at the Department of Veterans Affairs says federal agencies should have uniform guidelines governing when to offer credit monitoring to individuals whose personal information is exposed.
Veterans were denied the opportunity to take prompt steps to protect themselves against identity theft last year because internal delays kept key VA officials, including the agency’s secretary, in the dark for up to two weeks, the report states. One lesson learned after the breach is that federal agencies must have rapid internal notification of key officials, the GAO said.
“Because of these delays, the department’s decision about how to respond was also delayed,” the GAO said in its report today. “Prompt internal notification would help ensure that future data breaches are addressed promptly, maximizing the opportunity for affected individuals to effectively take precautions.”
A VA laptop and computer storage device containing the names, Social Security Numbers and dates of birth of all veterans discharged since 1975 were stolen from a VA employee’s home last year, exposing data from 26.5 million veterans and determining whether to offer credit monitoring and other services that may reduce the risk of identity theft.2.1 million active and reserve service members. (See the apology VA mailed to veterans.)
Today’s report urges the Office of Management and Budget, which oversees security and privacy for the federal government, to develop guidance agencies can use when determining whether to offer credit monitoring and other services that may reduce the risk of identity theft. Without such guidance, the GAO said, agencies may make inconsistent decisions that leave some people more vulnerable than others.
The Office of Management and Budget addressed many of the concerns raised by the data breach in guidance it issued last year, but so far has not assisted agency officials “in making consistent risk-based determinations about when to offer credit monitoring or other protection services,” the GAO says.
Data breaches should not always be reported to affected individuals, the GAO says. Notification when there is little or no risk of harm might create “unnecessary concern and confusion,” desensitize consumers to the dangers of identity theft, and be costly for both government agencies and individuals, the report states.
To ensure consistency, the GAO says each agency should have a core group of senior officials that meets after every breach and determines the agency’s response, and have mechanisms in place to obtain contact information for individuals in danger of identity theft.
Internal training and awareness must be in place to ensure timely responses to breaches, and public interaction after such incidents require careful coordination and can be costly, the report also says.
Learn more about this topicBanks file class action suit against TJX
04/25/07A brief history of data breach apology letters03/14/07RSA - Tech firms swarm on data protection problem01/25/07