Office of Management and Budget "Breach Notification Policy"

In response to recommendations from the President’s Identity Theft Task Force, The Office of Management and Budget issued guidance in May 2007 for federal agencies on “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” The OMB memorandum requires all federal agencies to implement a breach notification policy to safeguard “personally identifiable information” within 120 days of the date of the memorandum (by August 22, 2007) to apply to both electronic systems and paper documents. To formulate their policy, agencies are directed to review existing privacy and security requirements, and include requirements for incident reporting and handling and external breach notification. In addition, agencies are required to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information. Agencies are permitted to develop more stringent policies.

According to the OMB memo, an agency’s failure to implement one or more of FISMA provisions or associated standards, policies, or guidance issued by OMB or the National Institute of Standards and Technology (NIST) would not constitute less than adequate protections required by the Privacy Act. Moreover, the new OMB requirements do not create any enforceable rights or benefits at law against the government.

Attachment 1 of the OMB Memorandum, Safeguarding Against the Breach of Personally Identifiable Information, reemphasizes agencies’ responsibilities under existing law (e.g., the Privacy Act and FISMA), executive orders, regulations, and policy to safeguard personally identifiable information] and train employees. Two new [[privacy requirements and five new security requirements are established in attachment 1 of the OMB Memorandum.

To implement the new privacy requirements, agencies are required to review current holdings of all personally identifiable information to ensure that they are accurate, relevant, timely, and complete, and reduced to the minimum necessary amount. Within 120 days, agencies must establish a plan to eliminate the unnecessary collection and use of social security numbers within eighteen months. Agencies must implement the following five new security requirements (applicable to all federal information): encrypt all data on mobile computers/devices carrying agency data]; employ two-factor [[authentication for remote access; use a “time-out” function for remote access and mobile devices; log and verify all computer-readable data extracts from databases holding sensitive information; and ensure that individuals and supervisors with authorized access to personally identifiable information annually sign a document describing their responsibilities.

Attachment 2 of the OMB Memorandum, Incident Reporting and Handling Requirements, applies to the breach of personally identifiable information in electronic or paper format. Existing FISMA information security requirements are reviewed (implementation of procedures for detecting, reporting, and responding to security incidents, notifying and consulting with appropriate officials and authorities, and implementing NIST guidance and standards). Agencies are required to report all incidents involving personally identifiable information within one hour of discovery/detection; and publish a “routine use” policy under the Privacy Act for appropriate systems of records applying to the disclosure of [information]] to appropriate agencies, entities, and persons in connection with response and remedial efforts in the event of a data breach.

Attachment 3, External Breach Notification, identifies the factors agencies should consider in determining when notification outside the agency should be given and the nature of the notification. Notification may not be necessary for encrypted information. Agency breach notification plans are required to address whether breach notification is required; the timeliness of the notification; the source of the notification; the contents of the notification; the means of providing the notification; and who receives notification. In addition, each agency is directed to establish an agency response team. Agencies must assess the likely risk of harm caused by the breach and the level of risk. Agencies are directed to consider the nature of the data elements breached, the number of individuals affected, the likelihood the personally identifiable information is accessible and usable, the likelihood the breach may lead to harm, and the ability of the agency to mitigate the risk of harm.

Agencies should provide notification without unreasonable delay following the detection of a breach, but are permitted to delay notification for law enforcement, national security purposes, or agency needs. When the breach involves a federal contractor or an entity operating a systems of records for the agency, the agency must issue the notification and undertake corrective actions. Attachment 3 also includes specifics as to the content of the notice, criteria for determining the method of notification, and the types of notice that may be used.

Attachment 4, Rules and Consequences Policy, directs each agency to develop and implement a policy outlining the rules of behavior and identifying consequences and corrective actions available for failure to follow these rules. The particular facts and circumstances, including whether the breach was intentional, are to be considered in taking appropriate disciplinary action. Any action taken by supervisors must be consistent with law, regulation, applicable case law, and any relevant collective bargaining agreement.

Supervisors may be subject to disciplinary action for failure to take appropriate action upon discovering the breach or failure to take required steps to prevent a breach from occurring. Each agency should have a documented policy in place which applies to employees of the agency (including managers), and its contractors, licensees, certificate holders, and grantees, and that describes the terms and conditions affected individuals shall be subject to and identifies available corrective actions.

Rules of behavior and corrective actions should address the failure to implement and maintain security controls for personally identifiable information; exceeding authorized access to, or disclosure to unauthorized persons of, personally identifiable information; failure to report any known or suspected loss of control or unauthorized disclosure of personally identifiable information; and for managers, failure to adequately instruct, train, or supervise employees in their responsibilities. Consequences may include reprimand, suspension, removal, or other actions in accordance with applicable law and agency policy.