in Government Accountability Office Reports
Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain (GAO-09-759T, June 17, 2009) (24pp | 302kb | PDF) — "Several steps have been taken, both in terms of legislation and administrative actions to combat identity theft at the federal, state and local levels, although efforts to assist victims of the crime once it has occurred remain somewhat piecemeal….Despite efforts to prevent identity theft, vulnerabilities remain and can be grouped into several areas, including display and use of Social Security numbers, availability of personal information through information resellers, security weaknesses in federal agency information systems, and data security breaches….As a result, federal systems and sensitive information are at increased risk of unauthorized access and disclosure, modification, or destruction, as well as inadvertent or deliberate disruption of system operations and services. GAO has reported that federal agencies continue to experience numerous security incidents that could leave sensitive personally identifiable information in federal records vulnerable to identity theft."
Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains (GAO-08-525, June 2008) (74pp | 1.4m | PDF) — "Commercially available encryption technologies can help federal agencies protect sensitive information that is stored on mobile computers and devices … [or] that is transmitted over wired or wireless networks …. While many products to encrypt data exist, implementing them incorrectly … can result in a false sense of security and render data permanently inaccessible. Key laws frame practices for information protection, while federal policies and guidance address the use of encryption….While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification."
Information Security: Protecting Personally Identifiable Information (GAO-08-343, January 2008) (34pp | 385kb | PDF) — "In the wake of recent incidents of security breaches involving personal data, OMB issued guidance in 2006 and 2007 reiterating agency responsibilities under these laws and technical guidance, drawing particular attention to the requirements associated with personally identifiable information. In this guidance, OMB directed, among other things, that agencies encrypt data on mobile computers or devices and follow NIST security guidelines regarding personally identifiable information that is accessed outside an agency’s physical perimeter. Not all agencies had developed the range of policies and procedures reflecting OMB guidance on protection of personally identifiable information that is either accessed remotely or physically transported outside an agency’s secured physical perimeter….Gaps in their policies and procedures reduced agencies’ ability to protect personally identifiable information from improper disclosure."
For Further Information -
Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown (GAO-07-737, June 2007) (50pp | 588kb | PDF) — "While comprehensive data do not exist, available evidence suggests that breaches of sensitive personal information have occurred frequently and under widely varying circumstances….The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft. However, available data and interviews with researchers, law enforcement officials, and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts."