WASHINGTON – None of five federal agencies using electronic data mining to track terrorists, catch criminals or prevent fraud complied with all rules for gathering citizen information. As a result, they cannot ensure that individual privacy rights are appropriately protected, congressional investigators said Monday.
The agencies' lapses either "increased the risk that personal information could be improperly exposed or altered" or "limited the ability of the public — including those individuals whose information was used — to participate in the management of that personal information," the Government Accountability Office said.
A study by the GAO, Congress' investigating arm, sampled five of the dozens of federal agencies that use computerized data analysis: the Agriculture Department, FBI, Internal Revenue Service, Small Business Administration and State Department. It evaluated how one data mining activity in each agency complied with the Privacy Act (search), federal information security laws and government directives.
The ranking Democrat on the Senate government management subcommittee, Daniel Akaka of Hawaii, who requested the study, said the findings represent "a troubling trend given the number of data mining activities in the federal government that use personal information."
In May 2004, a GAO survey found that federal agencies were using or planning 199 data mining projects, including 122 that used personal information, including credit reports, credit card transactions, student loan application data, bank account numbers and taxpayer identification numbers.
This time, GAO looked at:
—an Agriculture Department Risk Management Agency effort to detect fraud in federal crop insurance.
—a State Department-General Services Administration program to police how employees use government charge cards.
—the FBI Foreign Terrorist Tracking Task Force's effort to locate terrorists in the United States.
—the IRS' Reveal system to detect financial crimes, fraud and terrorist activity.
—the SBA's system to measure and manage risk in two loan programs.
The GAO found only three had prepared privacy impact assessments of their data programs, and none of those complied with all Office of Management and Budget guidance. These assessments describe how the data would be used, with whom it would be shared and how it would be protected.
FBI and State claimed they were exempt from the assessments required by the E-Government Act of 2002 (search), the FBI because it was a national security system and State because its data dealt with federal employees, not the public.
But GAO noted that FBI regulations require such assessments. FBI officials said they were preparing privacy assessments but had been delayed because employees were occupied with other priorities. The FBI had no date for completing the assessment.
While agreeing that State's system was exempt from the act, GAO noted that OMB encouraged agencies to do privacy assessments on systems about government workers. GSA said it was developing guidance that would require the assessments.
GAO found all five agencies had taken some security steps, but none had complied with all requirements set by federal law and OMB.
All but State had done a risk assessment to determine vulnerabilities and develop countermeasures against those threats. SBA and Agriculture didn't fully document their capabilities of responding to incidents, and neither FBI nor Agriculture had tested contingency plans, "a key requirement for adequate security planning," GAO said. IRS' system, begun last February, still had testing under way.
State and GSA said they had reviewed the security processes of Citibank, which supplied the government credit cards. GAO said they had not determined that Citibank's security met all federal requirements.
Noting that Bank of America acknowledged in February that it had lost computer tapes with personal information on 1.2 million federal employees carrying its government credit cards, GAO said, "Agencies that do not take adequate steps to ensure information security risk having information improperly exposed, altered or destroyed."