Like practically every industry of late, government and federal agencies aren’t immune to the public’s evolving consciousness around data security.

An uptick in data breaches, regulations like the General Data Protection Regulation and the California Consumer Privacy Act, and the rise of surveillance and tracking online have made companies – and the fed sector – more cognizant about what kind of sensitive information they collect and retain.

In the face of evolving data privacy legislation, many are finding this isn’t an exact science. Organizations continue to grapple with finding a balance between collecting data necessary to do business and managing data securely.

While federal agencies already have to take steps to secure personally identifiable information (PII) like Social Security Numbers – see FISMA, NIST, etc. - they can and should take further steps to better incorporate privacy into their risk management strategies, a government watchdog said this month.

As part of its Cybersecurity High-Risk Series, the U.S. Government Accountability Office (GAO) - a legislative branch government agency that routinely carries out audits of agencies, recently issued recommendations for agencies to follow to help improve their ability to protect private and sensitive data they process.

The GAO issues around 1000 recommendations a year and over the past 20 years has highlighted the importance of protecting critical cyber infrastructure and the privacy of PII. While previous Cybersecurity High-Risk reports have focused on securing offshore oil and gas infrastructure and securing federal systems, this is the first GAO report centered on protecting privacy and sensitive data.

Actions the Government Should Take to Protect Privacy and Sensitive Data

While they’re especially geared for federal agencies, the following best practices, flagged by the GAO, could theoretically be adopted by any sector where the core ideas - protecting PII and ensuring there are programs in place to mitigate risk - apply.

Improve Oversight of Contractors Handling PII

Federal agencies should ensure sensitive PII handled by contractors is not only "adequately protected," according to the GAO. if it's collected, used, or stored by a third party, agencies should do their due diligence to ensure risks to data are addressed. That means double checking that the correct privacy compliance needs are met and ensuring that when security training is rolled out, it's done to complement each employee's specific role and responsibilities. If something were to go wrong - like data being exposed - the appropriate protocols should be in place to allow contractors the right avenue to notify affected individuals of a privacy incident.

Better Assess Facial Recognition Technology Risks

For many, facial recognition is a still a nascent technology not without its own inherent risks. Agencies should take steps to better track what non-federal systems with facial recognition technology employees are using and make known any potential privacy and accuracy-related risks to help mitigate risks to themselves and the public, the GAO urged.

Federal Financial Regulators Should Better Protect Personal Information

Financial regulators collect vast reserves of PII from a variety of sources, including the public, financial institutions like banks, insurance companies, and third parties like regulators. While each one has its own robust privacy program in place, the GAO is urging them to go the extra step to make sure the PII they collect, use, and share can't be compromised.

Regulators should, if they haven't already, take steps to minimize the collection of PII, have metrics to monitor privacy controls in place, and ensure that they have the right safeguards in place to ensure they're complying with the right privacy requirements.

Mitigate Risks in 401(k) Retirement Plans

The GAO again - it first floated this concept in 2021 - is pushing agencies to better mitigate potential cybersecurity risks in 401(k) retirement plans. Given the wide range of PII shared by stakeholders - retirement plan sponsors, record keepers, third party admins, custodians, and payroll providers – its pressing agencies to establish clear federal requirements or standards for them to follow to mitigate risk.

"This potential lack of protection could result in substantial harm to participants and beneficiaries including loss or theft of money, identity theft, or litigation involving plan fiduciaries and their administrators," the office wrote in its recommendations.

While the GAO's recommendations aren't orders, following them could help the federal sector shore up how sensitive data like PII is safeguarded.