The IT Law Wiki
Explore
Main Page
All Pages
Community
Interactive Maps
Random page
TopContent
Most Visited Pages
Cell phone
Radio frequency spectrum
RFID tag
Cloud consumer
Internet
Newly Changed Pages
Computer terminal
Persuasive evidence
Website operator
Bfdi
Email bombing
Pornography
Message modification
Most Popular Pages
community
Community portal
forum
FANDOM
Fan Central
BETA
Games
Anime
Movies
TV
Video
Wikis
Explore Wikis
Community Central
Start a Wiki
Don't have an account?
Register
Sign In
Sign In
Register
The IT Law Wiki
34,539
pages
Explore
Main Page
All Pages
Community
Interactive Maps
Random page
TopContent
Most Visited Pages
Cell phone
Radio frequency spectrum
RFID tag
Cloud consumer
Internet
Newly Changed Pages
Computer terminal
Persuasive evidence
Website operator
Bfdi
Email bombing
Pornography
Message modification
Most Popular Pages
community
Community portal
forum
Editing
Office of Management and Budget "Breach Notification Policy"
Back to page
Edit
Edit source
View history
Talk (0)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Overview == In response to recommendations from the [[President's Identity Theft Task Force]],<ref>The [[President's Identity Theft Task Force]] is composed of 18 federal agencies and departments, and was tasked with developing a strategic plan for the federal government to combat [[identity theft]]. [[Executive Order 13402|Exec. Order No. 13402, 71 Fed.Reg. 27945 (2006).</ref> The [[Office of Management and Budget]] issued guidance in May 2007 for federal agencies on "Safeguarding Against and Responding to the Breach of Personally Identifiable Information."<ref>[[Office of Management and Budget]], [[OMB Memorandum M-07-16]], Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) ([http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf full-text]).</ref> The [[OMB]] memorandum requires all federal agencies to [[implement]] a [[breach notification]] policy to safeguard "[[personally identifiable information]]" within 120 days of the date of the memorandum (by August 22, 2007) to apply to both electronic systems and paper documents.<ref>The [[OMB]] Memorandum defines the term "[[personally identifiable information]]" as "[[information]] which can be used to distinguish or trace an individual's identity, such as their name, [[social security number]], biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."</ref> To formulate their [[policy]], agencies are directed to review existing [[privacy]] and [[security]] requirements, and include requirements for incident reporting and handling and external [[breach notification]]. In addition, agencies are required to develop policies concerning the responsibilities of individuals authorized to access [[personally identifiable information]]. Agencies are permitted to develop more stringent policies. According to the [[OMB]] memo, an agency's failure to [[implement]] one or more of [[FISMA]] provisions or associated [[standard]]s, [[policies]], or guidance issued by [[OMB]] or the [[National Institute of Standards and Technology]] ([[NIST]]) would not constitute less than adequate protections required by the [[Privacy Act of 1974|Privacy Act]]. Moreover, the new [[OMB]] requirements do not create any enforceable rights or benefits at law against the government.<ref>OMB Memorandum M-07-16, at 4 n.12.</ref> == Attachment 1 — Safeguarding Against the Breach of Personally Identifiable Information == Attachment 1 of the OMB Memorandum, ''Safeguarding Against the Breach of Personally Identifiable Information,'' reemphasizes agencies’ responsibilities under existing law (e.g., the [[Privacy Act of 1974|Privacy Act]] and [[FISMA]]), [[executive order]]s, [[regulation]]s, and [[policy]] to safeguard [[personally identifiable information]] and train employees.<ref>[[FIPS 199]], Standards for Security Categorization of Federal Information and Information Systems; [[FIPS 200]], Minimum Security Requirements for Federal Information and Information Systems,[http://csrc.nist.gov/publications/fips/index.html] and [[NIST Special Publication 800-53]], Recommended Security Controls for Federal Information Systems; and [[NIST Special Publication 800-37]], Guide for the Security Certification and Accreditation of Federal Information Systems.[http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf]</ref> Two new [[privacy]] requirements and five new [[security requirement]]s are established in attachment 1 of the OMB Memorandum. To implement the new [[privacy]] requirements, agencies are required to review current holdings of all [[personally identifiable information]] to ensure that they are accurate, relevant, timely, and complete, and reduced to the minimum necessary amount. Within 120 days, agencies must establish a plan to eliminate the unnecessary collection and use of [[social security number]]s within eighteen months. Agencies must implement the following five new [[security requirement]]s (applicable to all federal information): [[encrypt]] all [[data]] on mobile computers/devices carrying agency [[data]; employ two-factor [[authentication]] for [[remote access]]; use a “time-out” function for [[remote access]] and mobile devices; log and verify all computer-readable [[data]] extracts from [[database]]s holding [[sensitive information]]; and ensure that individuals and supervisors with [[authorized access]] to [[personally identifiable information]] annually sign a document describing their responsibilities.<ref> The first four [[information security requirement]]s were adopted in an earlier memorandum, see OMB Memo 06-16 “Protection of Sensitive Agency Information.”[http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf].</ref> == Attachment 2 — Incident Reporting and Handling Requirements == Attachment 2 of the OMB Memorandum, ''Incident Reporting and Handling Requirements,'' applies to the breach of [[personally identifiable information]] in electronic or paper format. Existing [[FISMA]] [[information security requirement]]s are reviewed (implementation of procedures for detecting, reporting, and responding to [[security incident]]s, notifying and consulting with appropriate officials and authorities, and implementing [[NIST]] guidance and standards). Agencies are required to report all incidents involving [[personally identifiable information]] within one hour of discovery/detection; and publish a “routine use” policy<ref>The [[Privacy Act of 1974|Privacy Act]] defines a routine use to mean “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. §552a(a)(7).</ref> under the [[Privacy Act of 1974|Privacy Act]] for appropriate systems of records applying to the disclosure of [[information]] to appropriate agencies, entities, and persons in connection with response and remedial efforts in the event of a [[data breach]].<ref> OMB Memorandum M-07-16 at 11.</ref> == Attachment 3 — External Breach Notification == Attachment 3, ''External Breach Notification,'' identifies the factors agencies should consider in determining when notification outside the agency should be given and the nature of the notification. Notification may not be necessary for [[encrypt]]ed information. Agency [[breach notification]] plans are required to address whether [[breach notification]] is required; the timeliness of the notification; the source of the notification; the contents of the notification; the means of providing the notification; and who receives notification. In addition, each agency is directed to establish an agency response team. Agencies must assess the likely risk of harm caused by the [[date breach|breach]] and the level of risk. Agencies are directed to consider the nature of the data elements breached, the number of individuals affected, the likelihood the [[personally identifiable information]] is accessible and usable, the likelihood the [[data breach|breach]] may lead to harm, and the ability of the agency to mitigate the risk of harm. Agencies should provide notification without unreasonable delay following the detection of a [[data breach|breach]], but are permitted to delay notification for law enforcement, [[national security]] purposes, or agency needs. When the [[data breach|breach]] involves a federal contractor or an entity operating a systems of records for the agency, the agency must issue the notification and undertake corrective actions. Attachment 3 also includes specifics as to the content of the notice, criteria for determining the method of notification, and the types of notice that may be used. == Attachment 4 — Rules and Consequences Policy == Attachment 4, ''Rules and Consequences Policy,'' directs each agency to develop and implement a policy outlining the rules of behavior and identifying consequences and corrective actions available for failure to follow these rules. The particular facts and circumstances, including whether the breach was intentional, are to be considered in taking appropriate disciplinary action. Any action taken by supervisors must be consistent with law, regulation, applicable case law, and any relevant collective bargaining agreement. Supervisors may be subject to disciplinary action for failure to take appropriate action upon discovering the [[data breach|breach]] or failure to take required steps to prevent a [[data breach|breach]] from occurring. Each agency should have a documented policy in place which applies to employees of the agency (including managers), and its contractors, licensees, certificate holders, and grantees, and that describes the terms and conditions affected individuals shall be subject to and identifies available corrective actions. Rules of behavior and corrective actions should address the failure to implement and maintain [[security controls]] for [[personally identifiable information]]; [[exceeding authorized access]] to, or disclosure to unauthorized persons of, [[personally identifiable information]]; failure to report any known or suspected loss of control or unauthorized disclosure of [[personally identifiable information]]; and for managers, failure to adequately instruct, train, or supervise employees in their responsibilities. Consequences may include reprimand, suspension, removal, or other actions in accordance with applicable law and agency policy. ==References== <references /> [[Category:Privacy]] [[Category:Security]] [[Category:2007]]
Summary:
Please note that all contributions to the The IT Law Wiki are considered to be released under the CC-BY-SA
Cancel
Editing help
(opens in new window)
Follow on IG
TikTok
Join Fan Lab