On January 3, 2017, the Office of Management and Budget (“OMB”) issued a memorandum (the “Breach Memorandum”) advising federal agencies on how to prepare for and respond to a breach of personally identifiable information (“PII”). The Breach Memorandum, which is intended for each agency’s Senior Agency Official for Privacy (“SAOP”), updates OMB’s breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (“FISMA”).
The Breach Memorandum sets the stage by discussing the evolving threat and risk landscape, noting that there has been a 27 percent increase in the number of incidents reported by federal agencies from 2013 to 2015. The Breach Memorandum defines a “breach,” which is a type of incident, as “[t]he loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.” This definition goes beyond the definition contained in many state breach notification laws by including incidents of “potential” access to PII.
The Breach Memorandum next notes the importance of breach response and awareness training, and emphasizes key provisions to include in agency contracts that obligate contractors to (1) encrypt PII in accordance with OMB and agency-specific guidelines, (2) report breaches to the relevant agency as soon as possible and (3) cooperate with any forensic investigation and analysis. With respect to breach reporting, the Breach Memorandum encourages each agency to set up a simple email address, such as breach@[agency].gov, to which individuals may report suspected or confirmed breaches.
The Breach Memorandum then focuses on breach response plans. It requires each SAOP to develop and implement a breach response plan that:
- establishes a Breach Response Team at each agency to be headed by the SAOP;
- identifies applicable privacy compliance documentation such as system of record notices and privacy impact assessments;
- facilitates information sharing within the agency or between agencies for the purposes of reconciling or eliminating duplicate records, identifying potentially affected individuals or obtaining individuals’ contact information;
- analyzes reporting requirements to determine whether a specific breach requires the agency to notify law enforcement or Congress;
- assesses the risk of harm to potentially affected individuals by considering factors such as the PII at issue, the likelihood of access to and use of the information, and the relevant actors involved;
- mitigates the risk of harm to potentially affected individuals such as by purchasing identify theft protection services for potentially affected individuals; and
- notifies individuals affected by a breach, using the most appropriate method of notification.
Following a breach, agencies must track and document the response to each breach via a standard internal reporting template and identify any lessons learned from a breach. In addition, the SAOP and the agency must annually: (1) conduct a tabletop exercise, (2) review the breach response plan and consider potential updates and (3) submit an annual FISMA report on the adequacy of the agency’s information security policies and procedures.
The Breach Memorandum contains several appendices that can be used as resources for federal agencies, including a model breach reporting template, examples of services an agency may provide to affected individuals and a list of federal laws, executive orders, memoranda and directives that address data breaches.