[Dataloss] IG: Justice inconsistent in reporting of data breaches

[security curmudgeon]

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.govexec.com/dailyfed/0607/061807p1.htm

By Daniel Pulliam
June 18, 2007

Officials at the Justice Department have failed to report certain computer 
security incidents within the time frame required by the Office of 
Management and Budget, according to an audit report released Monday.

The 142-page report [1] from Justice's inspector general office found that 
the department had not consistently implemented a July 2006 OMB 
requirement [2] that agencies report data breaches involving the loss of 
personally identifiable information within one hour of discovery. Recent 
computer security incidents, including the Veterans Affairs Department's 
May 2006 loss of 26.5 million records containing sensitive information on 
veterans, prompted the requirement.

Two of nine agencies within the department had not updated their policies 
and procedures to include the new OMB requirement, the IG found. And an 
analysis of nearly 200 computer security incidents from July to November 
2006 found that officials failed to consistently report the loss of 
personally identifiable information within one hour to the department's 
Computer Emergency Readiness Team. The audit found that none of the 
incidents were reported within one hour to the Homeland Security 
Department's Computer Emergency Readiness Team, or US-CERT, as required by 
OMB.

Auditors also found that none of the department's component agencies have 
established procedures for notifying people who could be affected by the 
loss of personal information. "We believe that the lack of procedures 
could cause delays in notifying individuals whose information has been 
compromised, increasing the individuals' risk of falling victim to fraud 
or identity theft," the report stated.

In addition, the IG found that officials at the nine Justice agencies 
believed their employees followed the proper internal reporting procedures 
when issuing notifications of security incidents. But the information 
technology staff of the FBI was not always doing so in practice, the 
auditors found.

Incident reports are sent to two separate offices at the FBI, yet only one 
is required to relay them to the Justice team, the IG noted. The result is 
that some incidents do not get reported, the report stated.

On a more positive note, the IG found that several Justice agencies have 
taken extra steps to minimize unauthorized access to sensitive information 
and to educate employees on reporting requirements. These include posting 
security information on their intranet sites or on employee computer 
monitors upon login. The IG urged officials to consider adopting these 
procedures across the department.

Justice officials told the IG that reporting within an hour is not 
practical. They also said the guidance on reporting to US-CERT -- the 
organization responsible for coordinating the response to computer 
security incidents governmentwide -- is not clear on whether reports must 
arrive within the same hour as those to the Justice readiness team.

But officials concurred with the IG's eight recommendations to help 
improve the department's procedures, including one to clarify the 
deadlines for reporting incidents. The department also agreed to instruct 
agencies on proper reporting of incidents with classified information, and 
is developing reporting measures for ensuring that all agencies meet 
established time frames. Additionally, officials are developing procedures 
for notifying people affected by a loss of personal information.

[1] http://www.usdoj.gov/oig/reports/plus/e0705/final.pdf
[2] http://govexec.com/dailyfed/0706/071406p1.htm