Data breach reporting mandate may be a needless distraction
Federal agencies must report data breaches involving personally identifiable information to the Homeland Security Department within an hour of discovery, which is not a particularly useful endeavor, the Government Accountability Office says.
After just an hour, agencies often have little to report to US-CERT, the cyber incident response unit at DHS, but must do so under Office of Management and Budget guidance.
"OMB staff said that they were unaware of the rationale for the one hour time frame, other than a general concern that agencies report PII incidents promptly," says the recently released report, dated Dec. 9.
It can take weeks or months to gather complete information on data breaches.
Agencies reported 22,156 incidents involving personal information in fiscal 2012, up from 15,584 incidents the year before, and more than double the number from 2009.
"Agencies may be making efforts to meet the reporting requirements that could be diverting attention and limited resources from other breach response activities," the report says.
The requirement also forces agencies to file reports that are of little use to US-CERT, like when a breach involves paper documents. Such incidents may only affect a few individuals, and they're outside the expertise of US-CERT--short for Computer Emergency Readiness Team.
Agencies also have to report lost or stolen hardware containing personal information, even if encryption makes it unlikely for data to be compromised.
"US-CERT officials said they have little use for case-by-case reports" in those kinds of incidents, the report says.
Also, US-CERT does not use the information it collects to help resolve incidents or to provide technical assistance--casting further doubt on the need for agencies to file a report immediately. US-CERT compiles the information for statistical purposes.
- download the report, GAO-13-34 (.pdf)