Government breaches don’t make up a large proportion of data breaches, docking in at 11% of all breaches in 2014 and 7.6% of breaches thus far in 2015, and yet government agencies have been subject to an increased level of criticism over its struggles with data protection. Just why is this? I set forth to discover why the government is the most highly criticized for data breaches and how that affects public trust, and what governments can do to improve.
In an article for GCN, Building public trust by tightening security preparedness, I examine the different relationship that people have with governments versus the private sector and how this impacts trust in the government as a whole. In the private sector, the loss of trust after a data breach results in greater customer churn and reduced profits. In the public sector, relationships are not bound by the same economics; those affected by a data breach either have no fiscal resource to express their loss of trust or no alternative service provider. What we see instead is a loss of faith in the competency of governments as a whole. This loss of faith needs to be addressed with a dramatic increase in accountability towards data security.
According to GAO data, government breaches have increased by 91% in the past 8 years, with notable breaches such as the OPM breach shedding light on deficiencies in government data security programs. Reports have indicated that deficiencies in security exist across all government agencies, with hundreds of recommendations going unheeded. At what point does insufficient IT security then become negligence, and how is the government held accountable?
The Third Circuit recently affirmed the FTC’s authority to regulate data security standards of commercial entities, showing a dedication to enforcing security standards in the private sector, yet no equivalent mechanism exists to reign in governmental agencies. In order to regain public trust surrounding data governance and social responsibility, it is suggested governments take actionable steps including:
- Perform risk assessments
- Create an actionable plan
- Automate, wherever possible
- Make security a top-down priority
- Leverage a layered security strategy to protect data