Agencies lag on reporting data breaches
- By Mary Mosquera
- Aug 17, 2006
About one-half of all major agencies have responded so far to a request by House Government Reform Committee Chairman Tom Davis (R-Va.) to report any loss or compromise of sensitive personal information since 2003.
Agencies were to deliver to the committee a summary of each incident by July 24.
Davis wanted a governmentwide picture of the risk from data breaches, and had given agencies two weeks to provide a list
of compromises over the past three years.
Agencies that have responded include the Agriculture, Commerce, Education, Energy, Homeland Security, Labor, State, Transportation and Veterans Affairs departments, the Office of Personnel Management and the Social Security Administration, according to a committee staff member.
The Defense, Health and Human Services, Housing and Urban Development, Justice, Interior and Treasury departments have not responded, the staff member said.
Davis was surprised that all agencies didn't have this information at hand, given the recent attention surrounding the loss of sensitive personal information.
"You can't begin to fix a problem if you don't know the extent of it," Davis said
The summaries are helpful for learning the facts that surround data theft, intrusion or negligence and the extent of notification.
'We want a view of how significant the problem is given the context of recent breaches and what's existed for the past two or three years, if there is something we were unaware of,' the staff member said.
What the committee ultimately finds about data security could prompt other rules, standards and policies, the staff member said.
Agencies are to provide the committee with the date and circumstances of each data breach, information that was lost or compromised, number of individuals affected and remedial efforts.
Under the Federal Information Security Management Act, civilian agencies are required to notify the U.S. Computer Emergency Response Team in one hour of data breaches, unauthorized access or suspicious activity on their networks. The Office of Management and Budget last month expanded the rule
to cover all incidents that include personally identifiable information.
Mary Mosquera is a reporter for Federal Computer Week.