IG: Justice inconsistent in reporting of data breaches

IG: Justice inconsistent in reporting of data breaches
IG: Justice inconsistent in reporting of data breaches 

By Daniel Pulliam  
June 18, 2007

Officials at the Justice Department have failed to report certain 
computer security incidents within the time frame required by the Office 
of Management and Budget, according to an audit report released Monday.

The 142-page report [1] from Justice's inspector general office found 
that the department had not consistently implemented a July 2006 OMB 
requirement [2] that agencies report data breaches involving the loss of 
personally identifiable information within one hour of discovery. Recent 
computer security incidents, including the Veterans Affairs Department's 
May 2006 loss of 26.5 million records containing sensitive information 
on veterans, prompted the requirement.

Two of nine agencies within the department had not updated their 
policies and procedures to include the new OMB requirement, the IG 
found. And an analysis of nearly 200 computer security incidents from 
July to November 2006 found that officials failed to consistently report 
the loss of personally identifiable information within one hour to the 
department's Computer Emergency Readiness Team. The audit found that 
none of the incidents were reported within one hour to the Homeland 
Security Department's Computer Emergency Readiness Team, or US-CERT, as 
required by OMB.

Auditors also found that none of the department's component agencies 
have established procedures for notifying people who could be affected 
by the loss of personal information. "We believe that the lack of 
procedures could cause delays in notifying individuals whose information 
has been compromised, increasing the individuals' risk of falling victim 
to fraud or identity theft," the report stated.

In addition, the IG found that officials at the nine Justice agencies 
believed their employees followed the proper internal reporting 
procedures when issuing notifications of security incidents. But the 
information technology staff of the FBI was not always doing so in 
practice, the auditors found.

Incident reports are sent to two separate offices at the FBI, yet only 
one is required to relay them to the Justice team, the IG noted. The 
result is that some incidents do not get reported, the report stated.

On a more positive note, the IG found that several Justice agencies have 
taken extra steps to minimize unauthorized access to sensitive 
information and to educate employees on reporting requirements. These 
include posting security information on their intranet sites or on 
employee computer monitors upon login. The IG urged officials to 
consider adopting these procedures across the department.

Justice officials told the IG that reporting within an hour is not 
practical. They also said the guidance on reporting to US-CERT -- the 
organization responsible for coordinating the response to computer 
security incidents governmentwide -- is not clear on whether reports 
must arrive within the same hour as those to the Justice readiness team.

But officials concurred with the IG's eight recommendations to help 
improve the department's procedures, including one to clarify the 
deadlines for reporting incidents. The department also agreed to 
instruct agencies on proper reporting of incidents with classified 
information, and is developing reporting measures for ensuring that all 
agencies meet established time frames. Additionally, officials are 
developing procedures for notifying people affected by a loss of 
personal information.


Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2015 CodeGods