The Office of Management and Budget recently issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information ("PII").
The OMB's suggested framework specifically aims to "assess and mitigate the risk of harm to individuals potentially affected by a breach," and to provide "guidance on whether and how to provide notification and services to those individuals." The implementation of common federal agency standards and processes is oriented to not only streamline the way agencies deal with the release of PII, but to also ensure that the federal government is capable of handling data breaches in an effective and efficient manner.
Among the more notable requirements in the guidelines are those imposed on federal contractors who collect or maintain federal information, or who use or operate information systems on behalf of a federal agency. The OMB outlines terms for agencies to incorporate into federal contracts and cooperative agreements, including requiring that contractors and subcontractors:
Exchange information with agencies and permit inspection to ensure compliance with contractual requirements, execute the agency's breach response plan, and assist with responding to a data breach;
Report both confirmed and suspected data breaches to the federal agency occurring in any medium, including paper, oral, or electronic disclosures;
Encrypt PII to comply with OMB Circular A-130 and undertake any other protections of PII outlined in agency-specific policies;
Train contractor or subcontractor personnel in breach identification and reporting;
Maintain capabilities to determine what federal information was or could have been accessed and by whom, to construct user activity timelines, to determine the methods of accessing federal information, and to identify an initial attack vector.
The agencies are given significant discretion to direct their contractors' actions in the event of a breach, and can also require contractors to notify individuals who may be affected by a breach and take measures to mitigate the risk of harm to affected individuals.
Companies doing business with the federal government will want to review their information security policies and incident response plans for compatibility with the new OMB guidelines. Importantly, the new guidelines differ in some important respects from state laws on data breach notification that are commonly reflected in response policies.
« Back to News