Federal agencies may not be taking corrective actions consistently to limit the risk of personally identifiable information data breach incidents, according to a Government Accountability Office report released Jan. 9.
The report found none of the agencies GAO reviewed consistently documented the evaluation of incidents and the resulting lessons learned.
GAO blamed the Office of Management and Budget for the lack of evaluation due to its incomplete guidance on the matter.
“Implementation of breach response policies and procedures was not consistent,” the report said. “Incomplete guidance from OMB allowed these agencies to implement data breach response policies and procedures inconsistently.”
As a result, GAO made 23 recommendations to OMB to update its guidance on federal agencies’ response to data breaches.
In 2012, agencies reported 22,156 data breaches. The total was a 111 percent increase from 2009. The number of breaches consistently rose from 2009 to 2012.
The breaches can be particularly detrimental to agencies such as the Department of Veterans Affairs, which is most notable for the 2006 data breach involving the theft of the personal information of 26.5 million veterans and military members.
According to a 2012 study by the Ponemon Institute, the average per capita cost for a data breach for U.S. companies was $188 per record.
The GAO report found most of agencies it investigated had developed policies and procedures for responding to data breaches involving PII; it was only the implementation that was inconsistent.
Three agencies did not even have well-developed plans for data breaches. The Army had not specified the parameters of offering assistance to affected individuals after a data breach.
Furthermore, the Army, VA and Federal Deposit Insurance Corporation had not documented how risk levels had been determined.