OMB Memorandum M-07-16

Citation

Office of Management and Budget, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (OMB Memorandum M-07-16) (May 22, 2007) (full-text).

Overview

In response to recommendations from the President's Identity Theft Task Force,^[1] the Office of Management and Budget issued this guidance in May 2007. This OMB Memorandum requires all federal agencies to develop and implement a breach notification policy to safeguard "personally identifiable information" by August 22, 2007 to apply to both electronic systems and paper documents.^[2] To formulate their policy, agencies are directed to review existing privacy and security requirements, and include requirements for incident reporting and handling and external breach notification. In addition, agencies are required to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information.

Attachment 1 -- Safeguarding Against the Breach of Personally Identifiable Information

Attachment 1 of the OMB memorandum, "Safeguarding Against the Breach of Personally Identifiable Information," reemphasizes agencies' responsibilities under existing law (e.g., the Privacy Act and FISMA), executive orders, regulations, and policy to safeguard personally identifiable information and train employees. Two new privacy requirements and five new security requirements are established. To implement the new privacy requirements, agencies are required to review current holdings of all personally identifiable information to ensure that they are accurate, relevant, timely, and complete, and reduced to the minimum necessary amount.

Within 120 days, agencies must establish a plan to eliminate the unnecessary collection and use of social security numbers within eighteen months. Agencies must implement the following five new security requirements (applicable to all federal information): encrypt all data on mobile computers/devices carrying agency data; employ two-factor authentication for remote access; use a “time-out” function for remote access and mobile devices; log and verify all computer-readable data extracts from databases holding sensitive information; and ensure that individuals and supervisors with authorized access to personally identifiable information annually sign a document describing their responsibilities.^[3]

Attachment 2 -- Incident Reporting and Handling Requirements

Attachment 2 of the OMB Memorandum, "Incident Reporting and Handling Requirements," applies to the breach of personally identifiable information in electronic or paper format. Agencies are required to report all incidents involving personally identifiable information within one hour of discovery/detection; and publish a “routine use”^[4] under the Privacy Act applying to the disclosure of information to appropriate persons in the event of a data breach.^[5]

Attachment 3 -- External Breach Notification

Attachment 3, "External Breach Notification," identifies the factors agencies should consider in determining when notification outside the agency should be given and the nature of the notification. Notification may not be necessary for encrypted information. Each agency is directed to establish an agency response team. Agencies must assess the likely risk of harm caused by the breach and the level of risk. Agencies should provide notification without unreasonable delay following the detection of a breach, but are permitted to delay notification for law enforcement, national security purposes, or agency needs. Attachment 3 also includes specifics as to the content of the notice, criteria for determining the method of notification, and the types of notice that may be used.

Attachment 4 -- Rules and Consequences Policy

Attachment 4, "Rules and Consequences Policy," directs each agency to develop and implement a policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules. Supervisors may be subject to disciplinary action for failure to take appropriate action upon discovering the breach or failure to take required steps to prevent a breach from occurring. Rules of behavior and corrective actions should address the failure to implement and maintain security controls for personally identifiable information; exceeding authorized access to, or disclosure to unauthorized persons of, personally identifiable information; failure to report any known or suspected loss of control or unauthorized disclosure of personally identifiable information; and for managers, failure to adequately instruct, train, or supervise employees in their responsibilities. Consequences may include reprimand, suspension, removal, or other actions in accordance with applicable law and agency policy.

References

1. Executive Order 13402.
2. The memo defines the term "personally identifiable information" as "information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc." Id.
3. The first four information security requirements were adopted in an earlier memorandum. See OMB Memorandum M-06-16.
4. The Privacy Act of 1974 defines a "routine use" to mean “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. §552a(a)(7).
5. OMB Memorandum M-07-16, at 11.