Lawmakers call for accounting of data breaches

Committee wants picture of cybersecurity compromises

The House Government Reform Committee wants a governmentwide picture of the risk from data breaches and has given agencies two weeks to provide a list of compromises since 2003.

Committee chairman Tom Davis (R-Va.) and ranking member Henry Waxman (D-Calif.) last week asked all cabinet level agencies, the Office of Personnel Management and the Social Security Administration to report any 'loss or compromise of sensitive personal information held by the federal government since Jan.1, 2003.' Agencies must deliver a summary of each incident by July 24.

Agencies recently have reported a plague of data breaches, especially since the Veterans Affairs Department experienced a loss of sensitive data for millions of veterans, reservists and active-duty personnel in May.

Since VA's data breach, the IRS, Social Security Administration, Navy, the Health and Human Services and Agriculture departments, and, last week, the State Department, also reported data compromises.

In the VA case, police have since recovered the missing laptop and the hard drive containing the sensitive data.

'Not all agencies are so lucky. And we can't go forward hoping for the same good luck in the future. The federal government must become a better steward of sensitive personal information' Davis said in a statement.

Agencies are to provide the committee with the date and circumstances of each data breach, information that was lost or compromised, number of individuals affected and remedial efforts.

However, one security expert said Davis will likely get information only about attacks that didn't hurt anyone or have already been made public.

'The agencies cannot answer that honestly, because if they do they will provide evidence that they had not told U.S. CERT about all of the attacks,' said Alan Paller, research director at the SANS Institute in Bethesda, Md.

Under the Federal Information Security Management Act, all federal civilian agencies are required to notify the U.S. Computer Emergency Response Team within one hour of discovery of any data breaches, unauthorized access or suspicious activity on their networks.

In a memo last week, Karen Evans, OMB administrator for e-government and IT, reinforced that rule.

Davis is working on legislation to strengthen notification requirements.
Last week, State said it was investigating a hack into unclassified department IT systems, starting with embassies and offices in the East Asia/Pacific region and migrating to department headquarters.

State cybersecurity personnel took immediate steps when they detected the intrusion, and initial findings show that they prevented any loss of sensitive information, State spokesman Sean McCormick said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Pierce County

    CARES dashboard ensures county spending delivers results

    The CARES Act Funding Outcomes Dashboard helps Pierce County, Wash., monitor funding and key performance indicators for public health emergency response, economic stabilization and recovery, community response and resilience, and essential government services.

  • smart city challenge

    AI-based traffic management improves mobility, saves fuel, cuts pollution

    Researchers are developing a dynamic feedback traffic signal control system that reduces corridor-level fuel consumption by 20% while maintaining a safe and efficient transportation environment.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.