Almost 60% of GAO's Privacy Recommendations Since 2010 Are Unresolved

Just_Super/Getty Images

A watchdog report found that federal agencies have only implemented approximately 41% of recommendations related to the protection and security of sensitive data as of December 2022.

Federal officials have failed to implement almost 60% of the privacy and data security recommendations issued by the Government Accountability Office since 2010, according to a Tuesday report from the watchdog, potentially limiting their ability to adequately safeguard Americans’ collected personal information.

The report found that, of the 236 public recommendations GAO has made since 2010 related to the protection of collected personal data, only 96 have been implemented by federal agencies as of December 2022.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” the report warned. 

To address some of the ongoing challenges with safeguarding personally identifiable information—or PII—the report said that the government needs to “improve the protection of federally collected and maintained personal and sensitive data,” and “improve federal efforts to protect privacy and sensitive data, such as reducing the cybersecurity risks in retirement plans.”

GAO said this includes having federal agencies that collect sensitive personal data—such as social security numbers and birthplaces—place a greater emphasis on prioritizing privacy programs and strategies in their internal policies.

A previous watchdog report released by GAO in September 2022 found that, of 24 reviewed agencies, “most had generally established policies and procedures for key privacy program activities.” The reported noted, however, that the agencies “varied in establishing policies and procedures for coordinating privacy programs with other agency functions,” and that many of them “did not fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing PII or develop a continuous monitoring strategy for privacy.”

Additionally, GAO said in the same report that Congress should work to pass legislation establishing a “dedicated, senior-level privacy official” at all federal agencies. The watchdog noted, however, that Congress has failed to act on its recommendation, and that 62 of the 64 recommendations that it made to the Office of Management and Budget and federal agencies regarding efforts “to fully implement all of the key practices for their privacy programs” remain unaddressed as of February 2023.

The report also said that the Department of Homeland Security “needs to improve its oversight of contractors handling personal information”—a warning that grew out out of a December 2021 report from the the watchdog, which found that DHS and other federal agencies “had reported increasing numbers of privacy incidents that have placed sensitive information at risk of potentially serious impacts on federal operations, assets and people.”

“DHS is responsible for a wide variety of functions that are critically important to maintaining the security of our nation’s citizens,” the report noted. “To carry out these functions, the department needs to collect and maintain extensive amounts of detailed and sometimes sensitive PII. In many cases, DHS leverages the capabilities and expertise of contractors to assist in its various missions and grants contractors access to PII to perform the work.”

Although GAO recommended that “selected DHS components improve their oversight of contractors' privacy protections and remediation of incidents” through seven specific actions, the department had not implemented any of the steps as of December 2022. 

GAO also said that the issuance of federal guidance to better mitigate cyber risks in retirement plans—such as having the Labor Department establish “minimum cybersecurity expectations for protecting PII and plan assets”—would help ensure that “sensitive information is being adequately or consistently protected.” 

While Labor followed through on GAO’s prior recommendation and “issued new guidance for plan sponsors and service providers on best practices for maintaining cybersecurity in April 2021,” the watchdog said it maintains that “a minimum set of expectations for mitigating cybersecurity risks should be established,” and added that it “will follow up with DOL on their efforts to do so.”

Tuesday’s review is GAO’s final report in a four-part series examining high-risk cybersecurity concerns that federal officials have failed to address. All four of the reports in GAO’s series have outlined the lack of follow-through on the part of federal agencies to adequately respond to the cyber vulnerabilities, operational gaps and deficient policies and practices identified by the watchdog. 

GAO’s first report, issued on Jan. 19, found that agencies had only implemented roughly 40% of its cybersecurity recommendations since 2010. A subsequent report, released on Jan. 31, detailed how officials had only implemented 21% of the watchdog’s recommendations for protecting federal systems and information during the examined period. In its penultimate review, issued on Feb. 7, GAO found that agencies failed to implement almost 57% of its recommendations related to the protection of critical infrastructure services. 

Of the 1,389 total recommendations that GAO examined across all four reports in its cybersecurity high-risk series, the watchdog found that agencies had failed to implement 540—or approximately 39%—of them from 2010 through the end of December 2022. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.