Editor’s Note: The Testimony before the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia by Gregory C. Wilshusen, GAO’s Director for Information Security Issues, is attached here.
Technological developments since the Privacy Act became law in 1974 have changed the way information is organized and shared among organizations and individuals. Such advances have rendered some of the provisions of the Privacy Act and the E-Government Act of 2002 inadequate to fully protect all personally identifiable information collected, used, and maintained by the federal government. For example, GAO has reported on challenges in protecting the privacy of personal information relative to agencies’ use of Web 2.0 and data-mining technologies.
Agencies Can Take Action to Mitigate the Risks of Data Breaches, But Such Breaches Have Continued to Proliferate
In addition to relevant privacy laws and federal guidance, a key component of protecting citizens’ personal information is ensuring the security of agencies’ information systems and the information they contain by, among other things, preventing data breaches and reporting those breaches when they occur.
GAO also explained that:
OMB…issued guidance that specifies minimum agency practices for using encryption to protect personally identifiable information. Memorandums M-06-15, Safeguarding Personally Identifiable information, and M-06-16, Protection of Sensitive Agency Information, reiterated existing agency responsibilities to protect personally identifiable information, and directed agencies to encrypt data on mobile computers and devices and follow National Institute of Standards and Technology (NIST) security guidelines regarding personally identifiable information that is accessed outside an agency’s physical perimeter. In addition, OMB issued memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, which restated the M-06-16 recommendations as requirements and also required the use of NIST-certified cryptographic modules for encrypting sensitive information