Written by Dave Nyczepir
According to the Government Accountability Office, four agencies of the Department of Homeland Security suffered personally identifiable information breaches due to privacy incidents between July 2018 and June 2019.
Of the privacy-related incidents at Customs and Border Protection, the Federal Emergency Management Agency, Immigration and Customs Enforcement, and the Transportation Security Administration, only the first two have been tried ” major â.
Incidents putting sensitive information at risk are on the rise across government, but GAO has found all four agencies identified and reported theirs in a timely manner – although CBP has not communicated its most recent findings on the risk assessment or its decision not to notify affected persons due to a low risk of harm.
“Complete documentation of remediation activities helps ensure that all appropriate steps have been taken to reduce the potential damage that the loss, compromise or misuse of personal information could have on those affected,” it reads. the GAO. report released on Friday.
GAO recommended that CBP fully document its risk assessments and recommendations for notifying those affected by privacy incidents in its incident database.
Of the other two agencies examined, DHS headquarters had a confidentiality incident but no personally identifiable information (PII) breaches, while the Coast Guard did not report any incidents.
DHS and its contractors keep “large amounts” of PII, from dates of birth to social security numbers, and the department has privacy policies in place for systems operated by contractors that its agencies do not. not always comply, according to the report.
Headquarters and the Coast Guard have only partially administered annual, targeted, role-based confidentiality training for employees and contractors.
The Coast Guard has failed to address the privacy gaps. The GAO therefore recommended setting a deadline for developing a gap assessment and working with its procurement office to ensure that contractors agree to the confidentiality requirements.
The Coast Guard and TSA have not evaluated new instances of sharing personal information with third parties, so GAO recommended that they fully document the process.
DHS Privacy Office has responded to GAO recommendations that it review privacy training and asked GAO to close its recommendations, Coast Guard creates gap assessment and that agency and TSA assess new information sharing personal with third parties. But the GAO found no evidence that these recommendations were heeded.
DHS has further agreed to work with CBP to update the department’s confidentiality incident management guidelines.
âThis proposed language will include clearly defined roles for the publication of finalized risk assessments and an entry in the incident log when an accident is classified as MAJOR / SIGNIFICANT,â the DHS response letter read.