GSA IG Wants Further Breach Notification Policy Change

GSA General Services Administration

The General Services Administration’s Office of Inspector General said in a report issued Oct. 19 that it wants GSA’s IT Office (GSA IT) to provide a revised corrective action plan to improve the agency’s policies for responding to breaches of personally identifiable information (PII).

The request for a corrective action plan follows the IG’s review of corrective actions that GSA IT previously took–in response to a PII breach at GSA in 2015–that the IG said may end up hindering GSA IT’s “ability to notify affected individuals without unreasonable delay in the future.”

The story began in September 2015 when GSA reported a data breach that exposed PII of more than 8,200 current and former GSA employees.

In its September 2016 audit report, the IG found that GSA IT–which oversees the agency’s breach response and notification procedures–failed to notify individuals impacted by the breach as required by agency policy “due to a breakdown in its breach response process.” The IG issued recommendations for improvement including evaluating breach response capabilities and policies and taking action to address deficiencies.

But in a separate review to determine whether GSA’s IT Office implemented corrective actions included in the 2016 audit report, the IG found GSA IT’s action to be lacking in two areas: 1) reviewing PII breach policies to determine strengths and weaknesses, changing policies as appropriate, and providing updates to roles and responsibilities to response team members prior to first annual training and/or test; and 2) evaluating whether “every reasonable attempt” had been made to identify and notify individuals not previously notified of the data breach.

Regarding breach notification policies, the IG said GSA IT issued revised policies in 2017, but the IG found that those changes “allow for unreasonable delay” in the agency’s timeframe for determining whether a breach has occurred and providing notification to affected individuals.

The IG said it assessed the impact of the revised policies on four confirmed breaches in 2017, and found that GSA IT’s response team took an average of 70 days to determine if breaches took place. As GSA policy calls for notification of individuals within 60 days of a breach determination, the IG concluded that individuals may not be notified of a breach for 130 days after a breach occurred.

“GSA’s revisions to its Breach Notification Policy provide limited assurance that the Agency’s breach response process and procedures will enable it to respond to future PII breaches in a timely manner and without unreasonable delay,” the IG said, adding, “Therefore, we conclude that GSA IT did not satisfactorily complete this action step.”

The IG concluded that the breach notification policy revisions “did not meet the spirit of our recommendation, which was aimed at improving the Agency’s policies for responding to PII breaches,” and said GSA IT must submit a revised corrective action plan on that issue by Nov. 19.

On the breach notification front, the IG found GSA IT did not notify 20 individuals of the breach until December 2017, more than 800 days after the initial breach occurred. The IG said GSA IT should consider factors in the delay and additional controls to prevent a recurrence of the delayed notification, but is requiring no other formal action.

Recent