Agencies don’t know what sensitive data new IT systems collect on Americans, GAO report finds
More than two decades after being tasked with establishing privacy programs, 14 federal agencies have failed to address key practices for protecting the sensitive personal data of Americans, a new Government Accountability Office report finds.
Agencies that have failed to implement full privacy plans include the Office of Personnel Management, which was the target of a data breach in 2015 that exposed the sensitive personal information of more than 20 million government employees.
Agencies that have not developed a full privacy strategy include the Departments of Agriculture, Defense, Justice, Homeland Security, Housing and Urban Development, Veteran’s Affairs, State, Treasury, Environmental Protection Agency and OPM.
The GAO defines a fully developed risk management strategy as enacting privacy protections for sensitive data, defining a designated privacy official tasked with managing risks to information systems and establishing a strategy for continuously monitoring privacy risks.
“Without fully establishing these elements of their privacy programs, agencies have less assurance that they are consistently implementing privacy protections,” the GAO included in its report, which was requested by members of the U.S. Senate Committee on Homeland Security & Governmental Affairs.
A rise in breaches of federal agencies involving personally identifiable information in recent years highlights the ongoing challenge the federal government faces in protecting privacy, especially as it adopts new and emerging technologies.
In the fiscal year 2020, federal agencies reported more than 30,000 privacy-related incidents to the Cybersecurity and Infrastructure Security Agency, an 8% increase from the year before. Among those incidents was a January 2020 breach of the U.S. Marshals Service’s Detention Services Network System, which released the PII of an estimated 387,000 people.
The report also identified serious issues with the processes that agencies use to weigh the potential privacy implications of new technologies. Half of the surveyed agencies responded that they were not always aware of which of their systems collected personally identifiable information, therefore not knowing when an assessment was needed. In many cases, such assessments were not initiated until long after the technology was implemented.
Congress has questioned the efficacy of such assessments before, most recently questioning why a privacy impact assessment from the IRS failed to address the use of facial recognition technology by its contractor identity verification software ID.me.
The majority of responding agencies reported having insufficient resources as a driving challenge in implementing privacy programs, including being short-staffed and privacy-related officials taking on additional workload priorities. For instance, Social Security Administration privacy officials reported having to reallocate resources during the COVID-19 pandemic. The majority of agencies also reported difficulty applying privacy requirements to new and emerging technologies, such as cloud services and artificial intelligence, due to a lack of federal guidance.
The report recommends that Congress consider legislation that would designate a senior privacy official at agencies who had privacy planning as their primary duty.
Congress should adopt the GAO’s requirements to require chief privacy officers and allow agencies to offer competitive salaries to recruit in-demand privacy personnel, Sen. Ron Wyden, D-Ore., told CyberScoop in a statement.
“The Government Accountability Office report identifies systemic failures in federal privacy protections that leave the personal data of Americans – including federal workers – far too vulnerable,” Sen. Ron Wyden, D-Ore., told CyberScoop in a statement. “The government simply doesn’t have the skilled privacy professionals it needs to adequately safeguard personal information.”
Nineteen of the 24 agencies reviewed agreed with GAO’s recommendations to address concerns with their privacy programs. The Justice Department did not concur with the GAO recommendations and HUD did not say if it concurred.