On January 3, the Office of Management and Budget (OMB) issued Memorandum M-17-12, which clarifies how federal agencies should prepare for and respond to data security breaches involving personally identifiable information (PII). Memorandum M-17-12 updates existing OMB guidelines in accordance with the Federal Information Security Modernization Act of 2014 (FISMA) and implements those recommendations set out in OMB Memorandum M-16-04.
Memorandum M-17-12 is specifically directed towards agencies' Senior Agency Officials for Privacy (SAOPs) and other senior agency officials, managers, and staff who assist in evaluating risk of harm caused by breaches. However, private sector entities may also use the guidelines set forth for preparing for and responding to breaches to inform their applicable internal processes and procedures.
Preparing for Data Breaches
The Memorandum outlines various requirements and mechanisms for responding to and preparing for PII breaches, and for assessing and mitigating the risk of harm to individuals that may be affected.
Certain key requirements and mechanisms include
- developing training on how to identify, respond to, and report a breach; and
- requiring agency contracts, when applicable, to include provisions that permit the agency to respond to breaches and obligate contractors to meet OMB and agency-specific guidelines with respect to handling PII.
Breach Response Plans
The Memorandum further sets out SAOP requirements for developing and implementing breach response plans. Breach response plans, at a minimum, must include the following (each of which are further detailed in the Memorandum):
- Breach response team
- Identification of applicable privacy compliance documentation
- Information sharing to respond to a breach
- Reporting requirement
- Assessment of the risk of harm to potentially affected individuals
- Methods for mitigating the risk of harm to potentially affected individuals
- Notification of potentially affected individuals
Tracking and Documenting Breach Responses
Agencies must track and document the response to each breach (whether suspected or confirmed) using a standardized reporting template that reflects the agencies’ missions and functions (a model is included as Appendix I of the Memorandum). Further, when an agency reports a breach to the US Congress, the SAOP must convene the breach response team to review and assess the agency’s response to the breach and identify lessons learned in order to implement preventive actions.
In addition to the model breach reporting template, the Memorandum’s appendices include examples of guidance and services an agency may offer to individuals affected by data breaches, as well as a listing of government-wide incident and breach response resources (federal laws, executive orders, memoranda, and directives).
Annual Reviews and Reports
The Memorandum requires that each agency
- conduct a “tabletop” exercise to test the agency’s breach response plan no less than annually;
- conduct a review at the end of each fiscal year of all reported breaches and consider, among other things, potential breach response plan updates, updates to existing policies or implementation of new policies to protect PII, or improvements to training and awareness; and
- submit an annual FISMA report on the effectiveness of the agency’s information security policies and procedures.
Submission of Data Breach Response Plans
Each agency’s SAOP is required to update its respective agency’s data breach response plan and submit it to OMB within 180 days following the release of the Memorandum.