Analysis: Why did EPA delay notifying data breach victims?

Although it's disturbing enough that about 8,000 people had their personal information compromised when a virus attacked Environmental Protection Agency computers, what is really eyebrow-raising is that EPA didn't notify the victims for several months.

The breach happened in March; EPA alerted the people involved in August.

Tanya Forsheit, a founding partner at InfoLawGroup, told the U.K.'s PC Advisor that there is no single standard for notifying people potentially affected by a breach.

"State and federal breach notification laws govern how quickly an organization is required to notify affected individuals of a breach," Forsheit said. "Those deadlines depend on the particular law involved. The 46 state laws are all different, and the federal laws that do exist…are different still."

The compromised EPA servers contained data related to the Superfund program, the hazardous-waste cleanup effort mandated in 1980. The program is almost entirely managed by contractors. The data — including Social Security numbers, bank account information and home addresses — was exposed after an e-mail attachment with a virus was opened on a computer with access privileges to the breached servers, according to reports.

The breach raises questions about the cybersecurity measures in place at the agency and at agencies throughout government. Technology and policy are critical to the success of any security effort, in addition to education and training, experts say.

“We cannot just have policy-based approaches to cybersecurity; it has to be technology-based, too,” said Tony Busseri, CEO of IT security firm Route1. “If we rely upon the human condition — i.e., we expect someone to adhere to a policy — and that’s the only protection we have, we’re going to have failure. By nature, people are prone to making errors.”

That concern isn’t limited to EPA or to this specific incident. It’s something that must be considered as the federal government increasingly looks to telework and bring-your-own-device policies, Busseri said.

“We’ve forgotten in today’s world some of the simple rules of dealing with data. As soon as we allow data to go beyond the network perimeter, all the firewalls and monitoring tools are rendered useless,” he said. “It comes down to cybersecurity 101.”

Breaches involving government computers seem to be on the rise. Agencies reported 13,000 incidents in 2010 and 15,500 in 2011, according to a report in the Federal Times.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.