In response to recommendations from the President's Identity Theft Task Force, The Office of Management and Budget issued guidance in May 2007 for federal agencies on "Safeguarding Against and Responding to the Breach of Personally Identifiable Information." The OMB memorandum requires all federal agencies to implement a breach notification policy to safeguard "personally identifiable information" within 120 days of the date of the memorandum (by August 22, 2007) to apply to both electronic systems and paper documents. To formulate their policy, agencies are directed to review existing privacy and security requirements, and include requirements for incident reporting and handling and external breach notification. In addition, agencies are required to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information. Agencies are permitted to develop more stringent policies.
According to the OMB memo, an agency's failure to implement one or more of FISMA provisions or associated standards, policies, or guidance issued by OMB or the National Institute of Standards and Technology (NIST) would not constitute less than adequate protections required by the Privacy Act. Moreover, the new OMB requirements do not create any enforceable rights or benefits at law against the government.
Attachment 1 — Safeguarding Against the Breach of Personally Identifiable Information
Attachment 1 of the OMB Memorandum, Safeguarding Against the Breach of Personally Identifiable Information, reemphasizes agencies’ responsibilities under existing law (e.g., the Privacy Act and FISMA), executive orders, regulations, and policy to safeguard personally identifiable information and train employees. Two new privacy requirements and five new security requirements are established in attachment 1 of the OMB Memorandum.
To implement the new privacy requirements, agencies are required to review current holdings of all personally identifiable information to ensure that they are accurate, relevant, timely, and complete, and reduced to the minimum necessary amount. Within 120 days, agencies must establish a plan to eliminate the unnecessary collection and use of social security numbers within eighteen months. Agencies must implement the following five new security requirements (applicable to all federal information): encrypt all data on mobile computers/devices carrying agency [[data]; employ two-factor authentication for remote access; use a “time-out” function for remote access and mobile devices; log and verify all computer-readable data extracts from databases holding sensitive information; and ensure that individuals and supervisors with authorized access to personally identifiable information annually sign a document describing their responsibilities.
Attachment 2 — Incident Reporting and Handling Requirements
Attachment 2 of the OMB Memorandum, Incident Reporting and Handling Requirements, applies to the breach of personally identifiable information in electronic or paper format. Existing FISMA information security requirements are reviewed (implementation of procedures for detecting, reporting, and responding to security incidents, notifying and consulting with appropriate officials and authorities, and implementing NIST guidance and standards). Agencies are required to report all incidents involving personally identifiable information within one hour of discovery/detection; and publish a “routine use” policy under the Privacy Act for appropriate systems of records applying to the disclosure of information to appropriate agencies, entities, and persons in connection with response and remedial efforts in the event of a data breach.
Attachment 3 — External Breach Notification
Attachment 3, External Breach Notification, identifies the factors agencies should consider in determining when notification outside the agency should be given and the nature of the notification. Notification may not be necessary for encrypted information. Agency breach notification plans are required to address whether breach notification is required; the timeliness of the notification; the source of the notification; the contents of the notification; the means of providing the notification; and who receives notification. In addition, each agency is directed to establish an agency response team. Agencies must assess the likely risk of harm caused by the breach and the level of risk. Agencies are directed to consider the nature of the data elements breached, the number of individuals affected, the likelihood the personally identifiable information is accessible and usable, the likelihood the breach may lead to harm, and the ability of the agency to mitigate the risk of harm.
Agencies should provide notification without unreasonable delay following the detection of a breach, but are permitted to delay notification for law enforcement, national security purposes, or agency needs. When the breach involves a federal contractor or an entity operating a systems of records for the agency, the agency must issue the notification and undertake corrective actions. Attachment 3 also includes specifics as to the content of the notice, criteria for determining the method of notification, and the types of notice that may be used.
Attachment 4 — Rules and Consequences Policy
Attachment 4, Rules and Consequences Policy, directs each agency to develop and implement a policy outlining the rules of behavior and identifying consequences and corrective actions available for failure to follow these rules. The particular facts and circumstances, including whether the breach was intentional, are to be considered in taking appropriate disciplinary action. Any action taken by supervisors must be consistent with law, regulation, applicable case law, and any relevant collective bargaining agreement.
Supervisors may be subject to disciplinary action for failure to take appropriate action upon discovering the breach or failure to take required steps to prevent a breach from occurring. Each agency should have a documented policy in place which applies to employees of the agency (including managers), and its contractors, licensees, certificate holders, and grantees, and that describes the terms and conditions affected individuals shall be subject to and identifies available corrective actions.
Rules of behavior and corrective actions should address the failure to implement and maintain security controls for personally identifiable information; exceeding authorized access to, or disclosure to unauthorized persons of, personally identifiable information; failure to report any known or suspected loss of control or unauthorized disclosure of personally identifiable information; and for managers, failure to adequately instruct, train, or supervise employees in their responsibilities. Consequences may include reprimand, suspension, removal, or other actions in accordance with applicable law and agency policy.
- The President's Identity Theft Task Force is composed of 18 federal agencies and departments, and was tasked with developing a strategic plan for the federal government to combat identity theft. [[Executive Order 13402|Exec. Order No. 13402, 71 Fed.Reg. 27945 (2006).
- Office of Management and Budget, OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) (full-text).
- The OMB Memorandum defines the term "personally identifiable information" as "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
- OMB Memorandum M-07-16, at 4 n.12.
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems; and NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
- The first four information security requirements were adopted in an earlier memorandum, see OMB Memo 06-16 “Protection of Sensitive Agency Information.”.
- The Privacy Act defines a routine use to mean “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. §552a(a)(7).
- OMB Memorandum M-07-16 at 11.