Agencies lag on reporting data breaches

About one-half of all major agencies have responded so far to a request by House Government Reform Committee Chairman Tom Davis (R-Va.) to report any loss or compromise of sensitive personal information since 2003.

Agencies were to deliver to the committee a summary of each incident by July 24.

Davis wanted a governmentwide picture of the risk from data breaches, and had given agencies two weeks to provide a list of compromises over the past three years.

Agencies that have responded include the Agriculture, Commerce, Education, Energy, Homeland Security, Labor, State, Transportation and Veterans Affairs departments, the Office of Personnel Management and the Social Security Administration, according to a committee staff member.

The Defense, Health and Human Services, Housing and Urban Development, Justice, Interior and Treasury departments have not responded, the staff member said.

Davis was surprised that all agencies didn't have this information at hand, given the recent attention surrounding the loss of sensitive personal information.

"You can't begin to fix a problem if you don't know the extent of it," Davis said

The summaries are helpful for learning the facts that surround data theft, intrusion or negligence and the extent of notification.

'We want a view of how significant the problem is given the context of recent breaches and what's existed for the past two or three years, if there is something we were unaware of,' the staff member said.

What the committee ultimately finds about data security could prompt other rules, standards and policies, the staff member said.

Agencies are to provide the committee with the date and circumstances of each data breach, information that was lost or compromised, number of individuals affected and remedial efforts.

Under the Federal Information Security Management Act, civilian agencies are required to notify the U.S. Computer Emergency Response Team in one hour of data breaches, unauthorized access or suspicious activity on their networks. The Office of Management and Budget last month expanded the rule to cover all incidents that include personally identifiable information.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected