Citizens' Privacy at 'High Risk'

The Government Accountability Office recently reiterated its designation of information security as a governmentwide “high-risk issue” in its report, Information Security: Protecting Personally Identifiable Information. The high-risk designation for information security in the federal government has been included in GAO reports to Congress each year since 1997. Along with its own audits, GAO’s most recent high-risk assessment was based on consideration of annual reporting by federal agencies of their own assessments of risk, including certain material risks reported regarding information security.

Consequences of real and perceived inadequacies in information security policies and controls

Under what circumstances would U.S. consumers confidently continue to share their data with companies that self report under Sarbanes-Oxley that their operations put customer data at high risk? Frankly, it is hard to imagine the likelihood that such companies could easily maintain the continuing trust and confidence of customers or shareholders without significant costs. In fact, Larry Ponemon, chairman of The Ponemon Institute, has reported that U.S. businesses have seen a steady exodus of customers, a reluctance of some customers to share data and increased costs, including from lost business opportunities, following disclosure of data breaches at their companies. Should we expect the reactions of U.S. citizens to be any different in the federal space? It seems unlikely.