Almost 60% of GAO's Privacy Recommendations Since 2010 Are Unresolved

Federal officials have failed to implement almost 60% of the privacy and data security recommendations issued by the Government Accountability Office since 2010, according to a Tuesday report from the watchdog, potentially limiting their ability to adequately safeguard Americans’ collected personal information.

The report found that, of the 236 public recommendations GAO has made since 2010 related to the protection of collected personal data, only 96 have been implemented by federal agencies as of December 2022.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” the report warned. 

To address some of the ongoing challenges with safeguarding personally identifiable information—or PII—the report said that the government needs to “improve the protection of federally collected and maintained personal and sensitive data,” and “improve federal efforts to protect privacy and sensitive data, such as reducing the cybersecurity risks in retirement plans.”

GAO said this includes having federal agencies that collect sensitive personal data—such as social security numbers and birthplaces—place a greater emphasis on prioritizing privacy programs and strategies in their internal policies.

A previous watchdog report released by GAO in September 2022 found that, of 24 reviewed agencies, “most had generally established policies and procedures for key privacy program activities.” The reported noted, however, that the agencies “varied in establishing policies and procedures for coordinating privacy programs with other agency functions,” and that many of them “did not fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing PII or develop a continuous monitoring strategy for privacy.”

Additionally, GAO said in the same report that Congress should work to pass legislation establishing a “dedicated, senior-level privacy official” at all federal agencies. The watchdog noted, however, that Congress has failed to act on its recommendation, and that 62 of the 64 recommendations that it made to the Office of Management and Budget and federal agencies regarding efforts “to fully implement all of the key practices for their privacy programs” remain unaddressed as of February 2023.

The report also said that the Department of Homeland Security “needs to improve its oversight of contractors handling personal information”—a warning that grew out out of a December 2021 report from the the watchdog, which found that DHS and other federal agencies “had reported increasing numbers of privacy incidents that have placed sensitive information at risk of potentially serious impacts on federal operations, assets and people.”

“DHS is responsible for a wide variety of functions that are critically important to maintaining the security of our nation’s citizens,” the report noted. “To carry out these functions, the department needs to collect and maintain extensive amounts of detailed and sometimes sensitive PII. In many cases, DHS leverages the capabilities and expertise of contractors to assist in its various missions and grants contractors access to PII to perform the work.”

Although GAO recommended that “selected DHS components improve their oversight of contractors' privacy protections and remediation of incidents” through seven specific actions, the department had not implemented any of the steps as of December 2022. 

GAO also said that the issuance of federal guidance to better mitigate cyber risks in retirement plans—such as having the Labor Department establish “minimum cybersecurity expectations for protecting PII and plan assets”—would help ensure that “sensitive information is being adequately or consistently protected.” 

While Labor followed through on GAO’s prior recommendation and “issued new guidance for plan sponsors and service providers on best practices for maintaining cybersecurity in April 2021,” the watchdog said it maintains that “a minimum set of expectations for mitigating cybersecurity risks should be established,” and added that it “will follow up with DOL on their efforts to do so.”

Tuesday’s review is GAO’s final report in a four-part series examining high-risk cybersecurity concerns that federal officials have failed to address. All four of the reports in GAO’s series have outlined the lack of follow-through on the part of federal agencies to adequately respond to the cyber vulnerabilities, operational gaps and deficient policies and practices identified by the watchdog. 

GAO’s first report, issued on Jan. 19, found that agencies had only implemented roughly 40% of its cybersecurity recommendations since 2010. A subsequent report, released on Jan. 31, detailed how officials had only implemented 21% of the watchdog’s recommendations for protecting federal systems and information during the examined period. In its penultimate review, issued on Feb. 7, GAO found that agencies failed to implement almost 57% of its recommendations related to the protection of critical infrastructure services. 

Of the 1,389 total recommendations that GAO examined across all four reports in its cybersecurity high-risk series, the watchdog found that agencies had failed to implement 540—or approximately 39%—of them from 2010 through the end of December 2022.