Agencies lag on reporting data breaches

About one-half of all major agencies have responded so far to a request by House Government Reform Committee Chairman Tom Davis (R-Va.) to report any loss or compromise of sensitive personal information since 2003.

Agencies were to deliver to the committee a summary of each incident by July 24.

Davis wanted a governmentwide picture of the risk from data breaches, and had given agencies two weeks to provide a list of compromises over the past three years.

Agencies that have responded include the Agriculture, Commerce, Education, Energy, Homeland Security, Labor, State, Transportation and Veterans Affairs departments, the Office of Personnel Management and the Social Security Administration, according to a committee staff member.

The Defense, Health and Human Services, Housing and Urban Development, Justice, Interior and Treasury departments have not responded, the staff member said.

Davis was surprised that all agencies didn't have this information at hand, given the recent attention surrounding the loss of sensitive personal information.

"You can't begin to fix a problem if you don't know the extent of it," Davis said

The summaries are helpful for learning the facts that surround data theft, intrusion or negligence and the extent of notification.

'We want a view of how significant the problem is given the context of recent breaches and what's existed for the past two or three years, if there is something we were unaware of,' the staff member said.

What the committee ultimately finds about data security could prompt other rules, standards and policies, the staff member said.

Agencies are to provide the committee with the date and circumstances of each data breach, information that was lost or compromised, number of individuals affected and remedial efforts.

Under the Federal Information Security Management Act, civilian agencies are required to notify the U.S. Computer Emergency Response Team in one hour of data breaches, unauthorized access or suspicious activity on their networks. The Office of Management and Budget last month expanded the rule to cover all incidents that include personally identifiable information.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected