OMB Issues Memo To Agencies Regarding Breaches Of Personally Identifiable Information

Elizabeth Owerbach
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On January 3, 2017, the Office of Management and Budget (“OMB”) released to heads of executive departments and agencies a memorandum entitled Preparing for and Responding to a Breach of Personally Identifiable Information (the “Memorandum”).  The Memorandum sets forth a policy for agencies to protect personally identifiable information (“PII”) in a manner that is consistent, yet allows for flexibility so that agencies may tailor the plan to their needs.  The Memorandum reflects updates in privacy law and policy, including incorporation of the Federal Information Security Modernization Act of 2014 and OMB Memorandum M-16-04

The Memorandum defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”  Key aspects of an agency’s protocol for preparing for and responding to breaches of PII include:

  • Training and Awareness: Agencies must develop training programs, which “emphasize the individual’s obligation to report to the agency not only a confirmed breach, but also a suspected breach, involving information in any medium or form, including paper, oral, and electronic.”
  • Preparing for a Breach: Primary responsibility for overseeing compliance with the agency’s privacy program falls to that agency’s Senior Agency Official for Privacy (“SAOP”).  Agencies must take the steps necessary to ensure that its contractors and grantees are sufficiently encompassed in breach protocol, and that necessary logistical and technical support has been identified.  
  • Reporting a Suspected or Confirmed Breach: Agencies must ensure “that individuals with access to the agency’s Federal information and information systems . . . report a suspected or confirmed breach to the agency as soon as possible and without unreasonable delay, consistent with the agency’s incident management policy and procedures, NIST [National Institute of Standards and Technology] standards and guidelines, as well as US-CERT [United States Computer Emergency Readiness Team] notification guidelines.” 
  • Breach Response Plan: The plan “is a formal document that includes the agency’s policies and procedures for reporting, investigating, and managing a breach, and it should be specifically tailored to the agency and address the agency’s missions, size, structure, and functions.”  The plan must include, at minimum, the following elements:
  • Breach Response Team
  • Identification of Applicable Privacy Compliance Documentation
  • Information Sharing to Respond to a Breach
  • Reporting Requirements
  • Assessment of the Risk of Harm to Individuals Potentially Affected by a Breach
  • Mitigation of the Risk of Harm to Individuals Potentially Affected by a Breach
  • Notification of Individuals Potentially Affected by a Breach.

The OMB has acknowledged that “[t]he unprecedented volume of PII maintained by the Federal Government today, coupled with the rapidly evolving threat and risk landscape, necessitate that agencies take an aggressive approach to protecting Federal information resources.”  Thus, “it is critically important that Federal agencies remain vigilant and prepare for and understand how to respond to a breach in today’s threat landscape.”

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide