Group items tagged

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

Identity theft concerns are focused on the security and necessity of the collection process. Collecting personal information just because you can is unsafe. Organizations can reduce privacy risks by not collecting unnecessary personal info. Once the data gets into the data life cycle pipeline, the cost of managing and destroying it escalates. The Federal Trade Commission estimates that as many as 9 million people have their identities stolen every year. According to the Privacy Rights Clearinghouse, more than 200 million instances of data breaches have occurred since the beginning of 2005, and they show no signs of letting up. In the first quarter of 2008 alone, more than 85 million incidents were reported. The causes of data breaches run the gamut: Hackers get unencrypted, transmitted data and data at rest; laptops are stolen or lost; storage Relevant Products/Services devices are lost by third-party shipping companies; flash drives or PDAs are left lying around; Social Security numbers are accidentally printed on envelopes; or data is found on discarded computers. This article examines the organizational risks to CPAs and their clients or corporate employers of improperly managed data throughout the data life cycle. It also discusses best data management practices and proper procedures for responding to a data breach. Data breaches, whatever the cause, are costly. According to a study by the Ponemon Institute, the average cost of a data breach in 2007 was $6.3 million. The average cost to an organization per record compromised is about $197, which is typically spent on phone calls for customer notification, providing free credit monitoring, discounts on membership fees, or discounts on merchandise to make up for the security Relevant Products/Services breach. Some organizations also experience an increase in customer turnover. The organization typically spends additional money in data protection Relevant Products/Services enhancements. Companies sanctioned by

More than 6 million current and former customers of online brokerage TD Ameritrade Holding Corp. will be able to benefit from the settlement of a class-action lawsuit filed over the theft of client contact information. Formal notice of a settlement agreement will be sent to people who used TD Ameritrade's services before mid-September 2007. U.S. District Judge Vaughn Walker in San Francisco approved a revised version of the settlement agreement earlier this month despite some misgivings about it. Last summer, Walker rejected an earlier version of the deal. Anyone who held an Ameritrade account or provided an e-mail address to the company before Sept. 14, 2007, could benefit from the lawsuit. The database that was breached included information on 6.2 million people. The plaintiffs in the lawsuit said they received unwanted e-mail ads about certain stocks. The ads appeared to be designed to manipulate the value of thinly traded stocks. Ameritrade officials and one of the lead plaintiff's attorneys, Scott Kamber, have said the data theft has not been linked to cases of identity theft. As part of the proposed settlement, the Omaha-based company will pay nearly $1.9 million in legal fees and cover the cost of one year of anti-spam service for the victims. Ameritrade also promised to better protect customer data. Those terms have not changed from the original proposed settlement. But the new agreement will more clearly state that Ameritrade customers were at risk of identity theft, and it will preserve customers' ability to pursue identity theft claims against Ameritrade. Most of the changes to the agreement happened because the Texas Attorney General's Office and a former named plaintiff objected to the previous deal. In his order, the judge questioned whether the settlement does enough to benefit Ameritrade clients whose information was stolen. "The court is particularly concerned that TD Ameritrade has agreed to pay the class counsel $1.87 million and yet the

The federal GLBA, HIPAA, FACTA and its Red Flags and Disposal Rules, state data Breach Notification Laws and many other federal and state laws and industry regulations like PCI-DSS are intended to protect the privacy and security of consumer's personally identifiable and financial information entrusted to businesses and other organizations. Many suchidentity theft, id theft, government security, government privacy regulations aim to prevent identity theft and privacy violations. While some businesses have been negligent in securing information, other businesses have been victimized by black hat hackers or "crackers" who operate ahead of the cybersecurity technology curve. Cybersecurity is an ongoing challenge for businesses and for government as discussed in the President's Cyberspace Policy Review. In the four-year period ending in 2008, 23% of all data breaches reported were attributed to hackers. For those data breaches involving more than one million profiles, hacking was identified as the cause in 66% of the breaches according to a recent research report on data breach risk factors.

Until now, lawsuits seeking to recover significant damages based on the loss of, or unauthorized access to, sensitive personal information have not been especially successful for plaintiffs. Most companies suffering data breaches have escaped by offering affected consumers inexpensive credit monitoring services. But two recent cases show plaintiffs a way to expose many previously safe companies to substantial claims for damages. Any company that thinks there are no risks in employing less than best practices for data privacy and security needs a wake up call. The headlines are all too familiar. Some well known consumer services company (or less known wholesale data processor) announces that millions of individual records containing names, Social Security numbers, account numbers and other sensitive information were left in a dumpster, saved to a stolen, unencrypted laptop, or stored on a misplaced USB drive or backup tape. The press is terrible, the company's stock takes a temporary plunge, and sometimes the Federal Trade Commission enters into a consent decree where the company promises to never do it again. But when affected individuals or groups of consumers tried to sue for damages, they seldom recover significant amounts. These cases have not often succeeded because the plaintiffs have been unable to prove actual pecuniary losses resulting from the security breach. Sure, if identify theft occurs the affected individuals can suffer significant emotional trauma, loss of time, etc. But Courts have been unwilling to award damages for anxiety, fear, and other emotional harm that can result from a data breach, for the risk of future identify theft, or for actual identity theft when the plaintiff could not prove that the theft occurred as a direct result of a data breach at a particular source. Most companies facing claims based on data breaches have been able to settle cheaply by offering to provide credit monitoring services, which most consumers do not use, resu

Individuals have been at risk of having their personal information stolen and used to commit identity-related crimes long before the emergence of the Internet. What the Information Age has changed, however, is the method by which identity thieves can access and exploit the personal information of others. One method in particular leaves hundreds of thousands, and in some cases tens of millions, of individuals at risk for identity theft: large scale data breaches by skilled hackers. In this method, criminals remotely access the computer systems of government agencies, universities, merchants, financial institutions, credit card companies, and data processors, and steal large volumes of personal information on individuals. Such large scale data breaches have revolutionized the identity theft landscape as it relates to fraud on existing accounts through the use of compromised credit and debit card account information. Large scale data breaches would be of no more concern than small scale identity thefts if criminals were unable to quickly and widely distribute the stolen information for subsequent fraudulent use (assuming, of course, that the breach would be quickly detected). Such wide-scale global distribution of stolen information has been made possible for criminals with the advent of criminal websites, known as "carding forums," dedicated to the sale of stolen personal and financial information. These websites allow criminals to quickly sell the fruits of their ill-gotten gains to thousands of eager fraudsters

Like this http://www.hdfilmsaati.net Film,dvd,download,free download,product... ppc,adword,adsense,amazon,clickbank,osell,bookmark,dofollow,edu,gov,ads,linkwell,traffic,scor,serp,goggle,bing,yahoo.ads,ads network,ads goggle,bing,quality links,link best,ptr,cpa,bpa. www.killdo.de.gg

Cornell University officials are investigating the theft of a school computer that may have compromised the personal information of about 45,000 current and former students, faculty and staff. University spokesman Simeon Moss says the university has sent e-mails about the incident to everyone whose data was on the computer. They're being offered one year of free credit reporting, credit monitoring and identity restoration services. A Cornell Web page on the theft says there have been no known misuses of the data, which include Social Security numbers. The page says the laptop was in the possession of a Cornell technician who was doing some troubleshooting. Moss says police are investigating the theft.

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit. The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008. Some 44 states and the District of Columbia now have laws requiring entities that experience a breach to publicly disclose that fact. Yet, few breached entities report having done anything to safeguard data in the event that it is lost or stolen. The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology. "It is a dual problem here undeterred by law or common sense," said ITRC co-founder Linda Foley. "You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn't get exposed in the first place."

"Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey released this week by Javelin Strategy and Research. Approximately 11 percent of U.S. consumers have received a data breach notification letter in the past 12 months with a third of the breaches involving Social Security numbers and 15 percent involving ATM PINs, according to Javelin's third annual survey of nearly 5,000 U.S. consumers, released Tuesday. Of those who have received a data breach notification letter in the past year, 19.5 percent said they were the victims of fraud associated with identity theft, compared to 4.3 percent who have not received a notification but were victimized. "It wasn't just a statistical anomaly," Robert Vamosi, a Javelin risk fraud and security analyst and the author of the study, told SCMagazineUS.com on Wednesday. "In 2007 and 2006, we saw a similar pattern, so this isn't a blip. This is something that has been going on for a while.""

IT and business both understand the need to protect regulated customer and business data -- so long as they're in business, analysts say. Here's a look at how some folding businesses are falling short protecting data and the possible liabilities for the IT group and CIO. From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan? "Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group. "In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft." Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay." In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore

Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, like the origins and perpetrators of so many individual data breaches, mystery also lies behind the aggregated numbers. "I'm not sure that this says breaches are increasing," ITRC founder Linda Foley tells Digital Transactions News. "What we know is the reporting of breaches is increasing." A handful of states now require some disclosure of data breaches to authorities, Alaska being the most recent. And some companies that have been hacked are starting to report breaches voluntarily, Foley says. While data breaches can compromise all manner of personal and business records, they often involve credit and debit card data and bank-account information. ITRC lists five major categories of breached entities, with the so-called banking/credit/financial sector accounting for 10% of 2008's breaches. Businesses, which include physical and Internet retailers, insurance companies and other private enterprises, accounted for 36.8%. Schools accounted for 21.3%; government and military facilities, 17%; and health-care facilities, 14.9%. IRTC also categorizes breaches by how they happened, such as through hackings-break-ins into computers and related systems, insider thefts, data lost in physical transit, and by other methods. The number of 2008 hackings through late June in the banking/credit/financial category was 10-double the five for all of 2007. The estimated number of records compromised as a result was 227,864. In 2007, the reported number of compromised records at financial institutions through hackings was 83,500. But Foley says not to put too much stock in the records numbers because so many breached organizations don't know or fail to report the number of compromised records when they report a bre

Identity thieves using the names and Social Security numbers of Irving Independent School District employees have made thousands of dollars in purchases, school officials say. One woman has been accused of fraudulent use or possession of identifying information and two charges of credit card abuse. A second person linked to the theft case has been arrested but no charges have yet been filed in the Irving case, authorities said. At least 64 of the 3,400 teachers and other employees whose names were on the old benefits report that somehow ended up in the trash have said they are identity theft victims. The school district mailed letters to current and former employees about the breach, but 472 of the letters were returned as undeliverable. Pat Lamb, district security director, said in a story for Sunday's online edition of The Dallas Morning News that the employees at risk of being on the list worked for the district in the 2000-01 school year and had payroll deductions for benefits. "We still do not know how our records were compromised," Lamb said. "We don't know if somebody was supposed to shred that information, but it ended up in a Dumpster." Lamb said his name was among those on the report, which was generated in 2000. Cynthia Will, a former teacher, pleaded for help from the school board last week. More than $25,000 was charged in her name, including a $4,000 diamond ring, the newspaper reported. "It was stunning the damage that was done in just seven days," she told the board. Will has to carry an affidavit stating that she is an identity theft victim and if there are warrants on her old driver's license number that they are not for her. Dawn Bizzell, who has taught in the district since 1996, said district officials acted too slowly. An employee advisory wasn't posted until Jan. 26. Bizzell said she learned she was an identity theft victim on Nov. 28 and police told her of the district connection on Dec. 3.

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

SAN JUAN, Puerto Rico-An identity-theft ring that catered to illegal immigrants seeking to establish themselves in the U.S. stole the personal data of 7,000 public school children in Puerto Rico, officials said Tuesday. Members of the ring broke into about 50 schools across the U.S. island territory over the past two years to steal birth certificates and Social Security numbers to sell to the illegal immigrants, the FBI and other agencies announced at a news conference. The victims were largely unaware their information had been stolen-and likely would not have learned of the thefts until they became adults and tried to buy something on credit, said assistant U.S. Attorney Julia Diaz Rex. "A kid is going to have a perfect credit history," Diaz said. "They reach 18, 20 years of age. They go buy a car and their credit is damaged." The authorities did not disclose how they uncovered the ring but said seven people have been arrested and one more is being sought. At least some of them were illegal immigrants from the Dominican Republic. Investigators determined the birth certificates and Social Security numbers were sold as a package in a number of states including Texas, Alaska and California, for up to $250, authorities said. Two suspects are accused of possessing nearly 6,000 birth certificates and Social Security cards. One was accused of intending to sell 40 Social Security cards for nearly $3,000, while another was seeking the same amount for 12 cards. The suspects in custody were being held on charges that include aggravated identity theft and social security fraud and face up to 15 years in prison, said U.S. Attorney Rosa Emilia Rodriguez. One suspect had been previously arrested for the kidnapping of a Dominican man last year that led to the shooting of a police officer during an FBI raid, said Luis Fraticelli, special FBI agent in charge of Puerto Rico. It is unclear if other members of the ring are at large, and whether they received help from sch

Healthcare organizations are losing more than just names, addresses and Social Security numbers. When their data gets stolen, patients lose the privacy of their medical conditions, treatments and medications while at the same time falling prey to identity theft, medical billing fraud and other criminal schemes. Theft of electronic medical records is on the rise, and the implications are getting more serious. In a 2008 survey of identity theft victims, the Identity Theft Resource Center found that 67% had been charged for medical services they never received and 11% were denied health or life insurance due to unexplained reasons.

A recent data breach study commissioned by the state of Maine sheds light on the losses banks experienced as a result of the data breaches at TJX and Hannaford Brother's supermarkets. The state's banks said they incurred $2.1 million in expenses related to data breaches since January 1, 2007. The Hannaford breach had the largest impact, affecting 71 financial institutions and incurring $1.6 million in expenses according to the Maine Data Breach Study. Hannaford is based in Scarborough, Maine. The TJX breach accounted for $485,000 in expenses. The report was issued by the Main Bureau of Financial Institutions in November 2008. It studied the impact of data security breaches on Maine banks and credit unions. Fifty credit unions and 25 banks headquartered in Maine responded to the survey. Financial institutions reported more than 18 million records breached last year, according to the Identity Theft Research Center. The San Diego-based nonprofit found that data breach reports across five industry sectors jumped to 656 last year, up 47% from 2007. About 12% of the reports came from financial-services firms, up from 7% in 2007. In Maine, the Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by 22 financial institutions. More than 700 accounts were used to buy items fraudulently, although five of the 22 institutions that suffered a fraud loss did not report the number of accounts, according to the report. The Hannaford breach cost some banks as much as $58,000 to reissue credit cards to customers. Investigation expenses cost nearly $30,000 for some banks. Communication to customers cost nearly $28,000, some banks and credit unions reported. Fraud losses of nearly $45,000 were tied to the TJX data breach. The losses were reported by six financial institutions. The expenses for reissuing credit cards cost some banks as much as $32,000. Investigation expenses were as high as $21,000 for some banks. Communication to custom

Data Privacy Trends: Randy Sabett, Information Security Attorney March 26, 2009 Activity at the State Level Points Toward a Federal Data Breach Notification Law Data privacy legislation -- the trend started in California and is being discussed heatedly in Massachusetts today. Data breach notification and privacy laws have now been enacted in 40 separate states, and government observers think we're close to seeing federal legislation proposed. In an exclusive interview, Randy Sabett, a noted privacy/information security attorney, discusses: Trends in state data privacy legislation; What these laws mean to businesses; The Obama Administration's approach to data privacy; Trends to keep an eye on throughout 2009. Randy V. Sabett, CISSP, is a partner in the Washington, D.C. office of Sonnenschein Nath & Rosenthal LLP, where he is a member of the Internet, Communications & Data Protection Practice. He counsels clients on information security, privacy, IT licensing, and patents, dealing with such issues as Public Key Infrastructure (PKI), digital and electronic signatures, federated identity, HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, state and federal information security and privacy laws, identity theft and security breaches. He served as a Commissioner for the Commission on Cyber Security for the 44th Presidency.

"Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital - a crime being investigated by the FBI. But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said. One victim says that is too long to wait to tell patients they may be at risk of identity theft. The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information - the kind that can be used for identity theft - was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon. The man was stunned and angry to learn from someone other than hospital officials that his data had been leaked. Hospital officials should have notified him "way sooner," he said. "I would've given them two or three days after they initially found out. But this is a major thing - a priority thing!""

Most Americans believe the world financial crisis has increased their risk of identity theft or related crimes, according to the latest Unisys Security Index. The biannual survey of consumers in nine countries found that more than two-thirds of Americans are "extremely or very concerned" about other people obtaining and using their credit or debit card details -- with 90 percent at least "somewhat concerned." In addition, computer security remains a major concern. More than 40 percent of Americans are extremely or very concerned about security in relation to viruses or unsolicited emails. Three-quarters of Americans believe that the world financial crisis will increase the risk that they will personally experience identity theft or related crimes. More than one-quarter believe that the risk will increase substantially. "Financial security for Americans has moved from third place to front and center, number one," Tim Kelleher, vice president of enterprise security at Unisys, provider of information technology consulting services, told SCMagazineUS.com Monday. "People feel they are much more financially at risk." This has major implications for banks and other financial institutions, as well as internet businesses, he said. "Banks and businesses need to understand that customers are more wary than ever about using services that may compromise their personal data," Kelleher said. "If economic concerns increase these fears, companies need new strategies to strengthen customer confidence through accountability and transparency, which also plays to part of the Obama administration's call to action for government and business." The U.S. Security Index is based on a random telephone survey of 1,004 persons ages 18 and over. The first wave of the study was conducted in August 2007.

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someone's first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number. At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules. According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires

The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."

1. You get what you pay for. 2. Americans do not take information or security as seriously as they do their love for profit & cost savings. If one does not value what they are trying to protect accurately, the investment one is prepared to make will always be insufficient. Then there are hindsight and rationalization (a.k.a. politicians) - Karl The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their inf