OMB Memorandum M-07-16

Citation: Office of Management and Budget, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” (2007).

Overview
In response to recommendations from the President’s Identity Theft Task Force,39 the Office of Management and Budget issued guidance in May 2007 for federal agencies on “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.”40 The OMB Memorandum M-07-16 requires all federal agencies to implement a breach notification policy to safeguard “personally identifiable information” by August 22, 2007 to apply to both electronic systems and paper documents.41 To formulate their policy, agencies are directed to review existing privacy and security requirements, and include requirements for incident reporting and handling and external breach notification. In addition, agencies are required to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information.

Attachment 1 -- Safeguarding Against the Breach of Personally Identifiable Information
Attachment 1 of the OMB memorandum, Safeguarding Against the Breach of Personally Identifiable Information, reemphasizes agencies’ responsibilities under existing law (e.g., the Privacy Act and FISMA), executive orders, regulations, and policy to safeguard personally identifiable information and train employees. Two new privacy requirements and five new security requirements are established. To implement the new privacy requirements, agencies are required to review current holdings of all personally identifiable information to ensure that they are accurate, relevant, timely, and complete, and reduced to the minimum necessary amount. Within 120 days, agencies must establish a plan to eliminate the unnecessary collection and use of social security numbers within eighteen months. Agencies must implement the following five new security requirements (applicable to all federal information): encrypt all data on mobile computers/devices carrying agency data; employ two-factor authentication for remote access; use a “time-out” function for remote access and mobile devices; log and verify all computer-readable data extracts from databases holding sensitive information; and ensure that individuals and supervisors with authorized access to personally identifiable information annually sign a document describing their responsibilities.42

Attachment 2 -- Incident Reporting and Handling Requirements
Attachment 2 of the OMB Memorandum, Incident Reporting and Handling Requirements, applies to the breach of personally identifiable information in electronic or paper format. Agencies are required to report all incidents involving personally identifiable information within one hour of discovery/detection; and publish a “routine use”43 under the Privacy Act applying to the disclosure of information to appropriate persons in the event of a data breach.44

Attachment 3 -- External Breach Notification
Attachment 3, External Breach Notification, identifies the factors agencies should consider in determining when notification outside the agency should be given and the nature of the notification. Notification may not be necessary for encrypted information. Each agency is directed to establish an agency response team. Agencies must assess the likely risk of harm caused by the breach and the level of risk. Agencies should provide notification without unreasonable delay following the detection of a breach, but are permitted to delay notification for law enforcement, national security purposes, or agency needs. Attachment 3 also includes specifics as to the content of the notice, criteria for determining the method of notification, and the types of notice that may be used.

Attachment 4 -- Rules and Consequences Policy
Attachment 4, Rules and Consequences Policy, directs each agency to develop and implement a policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules. Supervisors may be subject to disciplinary action for failure to take appropriate action upon discovering the breach or failure to take required steps to prevent a breach from occurring. Rules of behavior and corrective actions should address the failure to implement and maintain security controls for personally identifiable information; exceeding authorized access to, or disclosure to unauthorized persons of, personally identifiable information; failure to report any known or suspected loss of control or unauthorized disclosure of personally identifiable information; and for managers, failure to adequately instruct, train, or supervise employees in their responsibilities. Consequences may include reprimand, suspension, removal, or other actions in accordance with applicable law and agency policy.