The White House Office of Management and Budget (OMB) on Tuesday issued updated minimum requirements that federal agencies must follow when responding to breaches of personally identifiable information (PII) to ensure that agencies keep pace with relevant laws and policies, in particular the Federal Information Security Modernization Act of 2014.
“Between Fiscal Years 2013 and 2015, there was a 27 percent increase in the number of incidents reported by Federal agencies to the DHS United States Computer Emergency Readiness Team (US-CERT),” says the 47-page Jan. 3 memorandum (m-17-12) signed by OMB Director Shaun Donovan. “These incidents have the potential to place sensitive information at risk and to pose serious threats to individuals and Federal operations and assets.”
The memo directs the establishment of annual training and awareness campaigns, including baseline training on “how to identify, report, and respond to a suspected or confirmed breach” as well as “specialized training for specific group” of employees and supervisors “who have access to or responsibility for High Value Assets.”
Terms for dealing with PII-related breaches also need to be included in contracts with vendors that collect, maintain or use this data on behalf of an agency, the memo says. For example, it says contractors and subcontractors are required to encrypt PII data in accordance with existing OMB regulations.
The directive also requires agency leaders to have plans in place related to the logistical and technical support needed to respond to a breach, pointing out that such an endeavor can be a “resource-intensive and challenging undertaking and can require hundreds of hours to complete.” It also calls for a breach response plan within each agency that includes a response team, privacy compliance documentation, information sharing to respond to a breach, reporting requirements, an assessment of the harm to individuals affected by a breach, risk mitigation plans for affected individuals, and notification to affected individuals.
The memo also says that any suspected or confirmed breach must be reported to the agency “as soon as possible and without unreasonable delay.”