Federal Retirement Thrift Investment Board (FRTIB) executive director Greg Long was recently called to Capitol Hill to testify in regard to a July 2011 data breach that exposed sensitive personal information of approximately 123,000 current and former federal employees. Following a thorough cross-examination from legislators, many are viewing the FRTIB incident as a microcosm of lingering federal data protection disparities and loopholes crying out for comprehensive reform.
The data security scare came to light earlier this summer as federal workers enrolled in the agency's Thrift Savings Plan (TSP) were informed that their personal information – including Social Security numbers – may have been misappropriated by hackers in July 2011. The FRTIB only became aware of the intrusion in April 2012 when informed by FBI computer forensics experts who were tipped off by a private contractor managing TSP databases.
Long's team responded by providing credit monitoring services to affected individuals and cooperating in comprehensive investigation. Officials then presented several conclusions drawn from the investigation in this week's congressional testimony.
"The past decade has been a time of dramatic expansion for the agency, in the number of participants, in the number of dollars invested in the TSP and the services provided to our participants," Long told lawmakers, according to Government Executive. "This growth taxed the agency's ability to complete all that needed to be done."
The scalability of data protection measures was not the only competency to come under question, however. Hawaii Senator Daniel Akaka, chairman of the Homeland Security and Governmental Affairs subcommittee on federal workforce oversight and one of those affected by the TSP incident, was dismayed to learn that the FRTIB did not have any formal data breach notification plan to speak of.
According to the Washington Post, this was particularly surprising considering the Office of Management and Budget issued a directive to all federal agencies in 2007 to develop such a strategy. However, this mandate was not legally binding for the FRTIB as the TSP budget is funded exclusively by its participants and thus not subject to congressional review.
Closing loopholes, fortifying defenses
Although legislators were not impressed with the FRTIB's negligence, many are interpreting the fact that it was legally defensible as another sign of the convoluted nature of federal data security policy. In specific, Akaka has placed the 1974 Privacy Act under the microscope after suggesting that four decades of technological evolution have effectively rendered the legislation obsolete in some areas.
According to CIO.com, Akaka pointed to the limited means by which individuals could sue government entities for egregious data protection transgressions. One of the qualifiers in the current legislation is that the incident must cause serious economic harm. However, medical record breaches that have damaged patients' personal and professional reputations by revealing rare or sensitive conditions underscore the many ways government security missteps could impact consumers.
What's more, Privacy Act loopholes are allowing federal agencies to maintain essentially unregulated relationships with private sector partners. The fact that the TSP breach was triggered by an infiltration of a database managed by a third-party service provider has only fueled the call for urgent reforms in this area.
"We should require privacy impact assessment on agencies' use of commercial sources of Americans' private information," Akaka testified, according to CIO.com. "This would provide basic transparency of agencies' use of commercial databases, so that individuals have appropriate protections such as access, notice, correction and purpose limitations."
Aside from the federal data breach notification law currently being debated in Congress, legislators are also addressing threat prevention. One of the more popular proposals discussed at the subcommittee hearing was a comprehensive review of the scope of government data collection practices and statutes that would shorten retention periods.
Data Security News from SimplySecurity.com by Trend Micro