GAO report finds federal agencies vulnerable to breeches due to increased reliance on contractors
Sep 20 2010
WASHINGTON - Today, Sen. Tom Carper (D-Del.) Chairman of the U.S. Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security released the results of a recent Government Accountability Office (GAO) study calling for stronger safeguards to protect sensitive information, such as social security numbers, from contractor access. The report, Contractor Integrity: Stronger Safeguards Needed for Contractor Access to Sensitive Information, examined agency efforts to control contractors' access to sensitive government data and information and the extent to which federal agencies in the planning and management of acquisitions identified significant areas of risk and vulnerability.
"In recent years there have been an unacceptably high number of data breaches that have left individuals, at times, the victim of serious financial crime or, more often, fearful that their personal information will be compromised," said Sen. Carper. "In one 2008 incident alone, a payment processing company was hacked, exposing over 100 million Americans' sensitive information. In another incident, a contractor for the Department of Veterans Affairs lost a laptop which held over 25 million veterans' health and personal information. These types of breaches are not only scary, but unacceptable.
"This report from the Government Accountability Office shows that, despite increased awareness and progress in addressing this issue, sensitive information retained by federal agencies remains vulnerable to unauthorized disclosure and abuse by outside contractors working for those agencies. The federal government needs to do a better job of protecting sensitive information to prevent disclosure as well as ensuring that, if an improper disclosure takes place, contractors immediately notify the affected agency.
"That's why I joined my colleague Senator Bennett (R-Utah) once again to introduce S. 3742, the Data Security and Breach Notification Act of 2010, which would create a strong national framework to apply to all entities, both public and private, to make sure that our information is secure. It also requires that, if sensitive personal information is somehow compromised, impacted individuals are notified. It is critical that this bill gets passed if we want to replace the costly and inefficient patchwork of state and local laws that contributes to the data breaches we have been seeing."
The study shows that federal agencies face challenges due to their increased reliance on contractors to perform core agency missions. While there are benefits to using contractors to perform services for the government, GAO and others have raised concerns about the increasing reliance on contractors.
In carrying out their day-to-day tasks inside federal agencies, contractor employees have extensive physical and electronic access to sensitive government data and information. The growth of a "blended workforce" raises the issue of how effectively government agencies and contractors assure the integrity of sensitive data and information when planning and administering contracts. Of particular concern is the vulnerability of sensitive government data to unauthorized access and inappropriate use by contractors where there is a high concentration of contractor employees working alongside agency personnel.
This situation poses several concerns, such as contractors having conflicts of interests that create risks that such information is used for personal gain or the unfair competitive advantage of their employers or the threat of improper disclosure to outside parties. The most recent example is that of a State Department contractor employee who pled guilty in September 2008 for looking at passport information for celebrities, athletes, actors, and politicians over a three-year period.