GSA failed to inform breach victims for 2 years, IG says
A new inspector general’s report claims that the General Services Administration failed to inform some federal employees whose personally identifiable information was exposed in a 2015 breach for more than two years.
The report details the agency’s response to a September 2015 incident in which a GSA employee sent an unencrypted file containing the PII of more than 8,200 current and former GSA personnel — including names, home addresses and personal email addresses — to an external financial auditor. The auditor notified the GSA, which determined that a breach had occurred.
But according to an OIG report from a year later, the so-called Office of GSA IT failed to inform personnel that their information was exposed “due to a breakdown in its breach response process.” In that 2016 report, the OIG offered four recommendations, including that GSA review and certify its notification efforts and determine what other actions were needed to notify personnel whose information was exposed.
Despite the deputy CIO concurring with those recommendations, the OIG found in the new report released last week that 20 people were not notified of the breach until December 2017 — 809 days after their information was exposed.
“In February 2017, the Chief Privacy Officer provided the program office responsible for the breach with the names and addresses of the remaining 20 affected individuals and authorized the responsible program office to mail breach notifications to these individuals,” the report said. “We inquired about the status of these notifications in November 2017 and learned that the responsible program office still had not mailed the notifications to the affected individuals. After our inquiry, the responsible program office mailed the notifications to the remaining 20 individuals on Dec. 5, 2017.”
GSA’s breach notification policy originally called for the agency to notify people affected within 30 days of determining that a breach has occurred, but agency officials later extended that deadline to 60 days. The policy also does not provide a timeframe for how long the response team has to determine when a breach has happened, effectively providing no clear deadline for when to notify people that their information has been exposed.
“The Chief Privacy Officer stated that these changes allow GSA more time to investigate the breach and correctly understand all of the facts before attempting to notify those affected,” the report said. “Nonetheless, the changes place affected individuals at risk because they increase GSA’s timeframe to notify these individuals that their PII was exposed.”
The OIG looked at four other breaches that occurred in fiscal 2017, concluding that it took the response team an average of 70 days to confirm a breach. Combined with the notification window, that means a person whose information was exposed in a breach could wait up to 130 days or longer to be notified. In one instance, it took the response team 181 days to determine a breach had occurred, meaning it could have been up to eight months before those impacted were notified of the breach under the policy.
The OIG called on GSA officials to submit a revised action plan to address both the notification efforts and to assess clear roles, responsibilities and objectives for its breach notification policies by Nov. 19.