(Adds number of agencies under review, quote from report,
background; paragraphs 5, 8-11)
WASHINGTON, April 2 Federal agencies have a
spotty record of handling data breaches, which can include the
theft of sensitive information such as Social Security numbers,
financial data and health history, the investigative arm of the
U.S. Congress said in a report on Wednesday.
The number of such incidents involving personal data
increased to 25,566 last year from 10,481 in 2009, the
Government Accountability Office said. That total included both
cyber crime and non-cyber breaches.
Incidents have ranged from the highly publicized theft in
2006 of a laptop and external hard drive belonging to the
Veterans Affairs Department that contained personal data on 26.5
million veterans and active duty members of the military, to the
hacking of a Federal Aviation Administration computer that
contained data on 45,000 agency employees and retirees.
"It is critical that federal agencies take steps to secure
the information that they collect, retain, and disseminate and
that, when events such as data breaches occur, they respond
swiftly and appropriately," Gregory Wilshusen, the GAO's
director of information security issues, said in remarks
prepared for a congressional hearing on data breaches on
Of the seven agencies whose breaches were analyzed by the
GAO, only the Internal Revenue Service consistently calculated
how much personal information was at risk in the incidents, and
only the IRS and the U.S. Army documented how many people may
have been affected, the report said.
Only the Army and the Securities and Exchange Commission
notified the people whose data may have been exposed.
None of the federal agencies consistently offered credit
monitoring services to the affected individuals, the report
At the hearing of the Senate Committee on Homeland Security
and Governmental Affairs, Federal Trade Commission Chairwoman
Edith Ramirez urged lawmakers to enact a "strong federal data
security and breach notification" law.
Senators Tom Carper, a Democrat from Delaware, and Roy
Blunt, a Missouri Republican, introduced a breach notification
measure in January aimed at creating a single standard.
But consumer groups have warned that companies may be
pressing for a federal standard in hopes that it would be weaker
than many of the state laws.
California was the first state to adopt a data breach law in
2003 and it is among the toughest. It requires a detailed
disclosure to consumers "in the most expedient time possible and
without unreasonable delay" when personal information, including
emails with passwords, is "reasonably believed" to have been
(Reporting by Diane Bartz; Editing by Ros Krasny, G Crosse and