GSA Took 800 Days to Notify Some Data Breach Victims

It took the General Services Administration more than 800 days to notify a handful of people that it had accidentally exposed their personal information, according to an audit released Friday.

In another case, the agency took six months just to determine that a data breach related to background investigation information had occurred, the agency’s inspector general said. The people affected by that breach might not have learned about it for two months more, according to the report.

The report focuses primarily on the General Services Administration’s response to a September 2015 breach in which the agency mistakenly shared personal information about roughly 8,200 people in an unencrypted file with an external auditor that didn’t need to receive that information.

The agency’s first failure came when it didn’t notify any of those 8,200 people before its own deadline, which kicked in 30 days after the agency notified the government’s cyber emergency response unit inside the Homeland Security Department.

In January 2017, more than a year after the initial breach, the agency’s chief privacy official discovered 26 victims still hadn’t been notified, according to the inspector general’s review.

The official found contact information for 20 of those victims and asked the division responsible for the breach to notify them. The office failed to send those notifications, however, until December 2017, after the inspector general’s office inquired about the notifications.

“Without timely and effective notice of the breach, the affected individuals could not take prompt action to protect themselves against the possibility of harm resulting from the exposure of their [personally identifiable information],” the report states.

GSA management was not able to find contact information for the final six breach victims, according to the report.

Since the 2015 breach, the agency also changed its procedures in ways that could delay notifying breach victims even longer, the audit states.

Prior to the breach, the agency gave itself 30 days to notify breach victims and started the clock ticking when it notified Homeland Security’s Computer Emergency Readiness Team, or US-CERT.

Following the breach, the agency began giving itself 60 days to notify victims and started the clock ticking when its own breach response team formally verified that a breach occurred.

There’s no required timeframe for that determination, so the notification to victims could, theoretically, be delayed indefinitely, the auditors found.

The auditors examine four breach notifications under the new rules and found the response team took 70 days on average to make its determination. The six-month delay in determining if a beach occurred came during that period.

Agencies are required by a 2017 policy to notify Homeland Security within one hour of discovering a significant breach—even if the agencies not sure about some details or confident about how bad the breach was. There are government best practice guides but not formal requirements for how and when agencies should notify breach victims.