Cybersecurity High-Risk Series: Challenges in Protecting Privacy and Sensitive Data

Coverage Type: 

Federal systems are vulnerable to cyberattacks. The GAO has made 236 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. In September 2022, GAO's review of 24 agencies found that most had generally established policies and procedures for key privacy program activities. These activities included, among other things, developing system-of-records notices that identify types of personal data collected, conducting privacy impact assessments, and documenting privacy program plans. Agencies varied in establishing policies and procedures for coordinating privacy programs with other agency functions. Further, many agencies did not fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing PII (Personal Identifiable Information), or develop a continuous monitoring strategy for privacy. Without fully establishing these elements of their privacy programs, agencies have less assurance that they are consistently implementing privacy protections. The GAO recommended that:

  • Congress consider legislation to designate a dedicated, senior-level privacy official at agencies that lacked one;
  • The Office of Management and Budget should facilitate information sharing to help agencies address selected challenges and better implement privacy impact assessments;
  • The 23 of the 24 agencies we reviewed should fully implement all of the key practices for their privacy programs;
  • Federal financial regulators better ensure the privacy of the PII that they collect, use, and share;
  • Congress should consider legislation to improve federal efforts to protect privacy and sensitive data, such as reducing the cybersecurity risks in retirement plans;
  • Congress should consider legislation to improve the protection of federally collected and maintained personal and sensitive data.

 

 


Cybersecurity High-Risk Series: Challenges in Protecting Privacy and Sensitive Data