Four agencies within the Department of Homeland Security experienced breaches of personally identifiable information due to privacy incidents between July 2018 and June 2019, according to the Government Accountability Office.
Of the privacy incidents at Customs and Border Protection, the Federal Emergency Management Agency, Immigration and Customs Enforcement, and the Transportation Security Administration, only the first two were deemed “major.”
Incidents placing sensitive information at risk are on the rise governmentwide, but GAO found all four agencies identified and reported theirs in a timely fashion — although CBP failed to report its most recent risk assessment findings or its decision not to notify people affected due to low risk of harm.
“Fully documenting remediation activities helps ensure that all appropriate steps have been taken to lessen potential harm that the loss, compromise or misuse of PII could have on affected individuals,” reads the GAO report released Friday.
GAO recommended CBP fully document its risk assessments and recommendations for notifying people affected in privacy incidents in its incident database.
Of the two other agencies reviewed, DHS Headquarters had a privacy incident but no breach of personally identifiable information (PII), while the Coast Guard reported no incidents.
DHS and its contractors maintain “large amounts” of PII, from dates of birth to Social Security Numbers, and the department has privacy policies in place for contractor-operated systems that its agencies don’t always comply with, according to the report.
Headquarters and the Coast Guard only partially administered annual and targeted, role-based privacy training for employees and contractors, so GAO recommended DHS’s Privacy Office begin providing it for contractors handling PII.
The Coast Guard failed to address gaps in privacy compliance, so GAO recommended it set a timeframe for developing a gap assessment and work with its acquisition office to ensure contractors accept privacy requirements.
Both the Coast Guard and TSA failed to evaluate new instances of PII sharing with third parties, so GAO recommended they fully document the process.
The DHS Privacy Office responded to GAO’s recommendations that it would review privacy training and requested GAO close its recommendations the Coast Guard create a gap assessment and both that agency and TSA evaluate new PII sharing with third parties. But GAO found no evidence those recommendations had been addressed.
DHS further agreed to work with CBP to update the department’s Privacy Incident Handling Guidance.
“This proposed language will include clearly delineated roles for the posting of finalized risk assessments and an incident journal input when an accident is categorized as MAJOR/SIGNIFICANT,” reads DHS’s response letter.