Recommendations for Identity Theft Related Data Breach Notification

In September 2006, The Office of Management and Budget issued a memorandum suggested by the President’s Identity Theft Task Force to help government departments and agencies adequately protect data.

What is Identity Theft?

Identity theft is the unauthorized use of personally identifiable information (PII) by an individual to commit fraud, usually financial related fraud. This is achieved either by using financial account information or using an individual’s Social Security Number (SSN) to open new financial accounts. Identity theft is a serious problem costing American citizens millions of dollars every year. As one of the largest collectors of information, the U.S. Government must implement strong measures to reduce the risk of security breaches leading to identity theft.

The President’s Identity Theft Task Force made the following recommendations:

Data Breach Planning

Effective information security requires building contingency plans in the event a data breach occurs. Each agency should select a number of appropriate individuals to be part of a data breach response group that convenes after any potential or confirmed data breach has been found.

This group should include at minimum:

• Chief Information Officer
• Chief Legal Officer
• Chief Privacy Officer
• Senior management official
• Agency’s Inspector General

This group should meet initially to develop basic contingency plans to be automatically implemented when a breach occurs and reconvene as necessary in response to security incidents.

Identifying an Incident that Presents Identity Theft Risk and the Level of Risk Involved

Not all data breaches may result in an identity theft risk. When a security breach occurs, agencies must determine on a case by case basis if there is a risk of identity theft and the level of that risk.

What constitutes an identity theft risk?

• Unauthorized disclosure of an individual’s Social Security Number
• Unauthorized disclosure of an individual’s name, address or telephone number with
  • a government identifier (ie: driver’s license)
  • a biometric record
  • a financial account number with the pin or security code
  • any information that particularly identifies an individual such as a relationship with a financial institution or club membership

When such information has been compromised the following criteria should be used to determine the level of risk of identity theft:

• the level of difficulty an unauthorized individual would have to use the information
• how the data loss occurred including whether it may be considered or related to criminal activity
• the ability of the agency to counteract or prevent abuse of the information
• evidence that the information that has been compromised is used to commit fraud related to identity theft

Reducing Risk After Disclosure

When a data breach has occurred and a risk of identity theft has been determined, measures should be taken by both the affected individual and the agency to minimize the abuse of the information. Responses may vary depending on the type of information compromised and the level of risk determined by the agency.

Individual actions may include:

• Closing affected financial accounts
• Monitoring financial accounts
• Requesting and monitoring their credit report
• Placing a fraud alert with the credit bureaus
• Placing a credit freeze on their credit account
• Increasing identity theft awareness by watching for criminals offering credit assistance who may just be attempting to obtain more PII

Agency actions may include:

• Notifying banks if government authorized credit cards or government payments are involved
• Perform data breach analysis to determine whether a data breach has resulted in identity theft
• Provide credit monitoring services to affected individuals.
• Notification to law enforcement officials

Providing Notice to Those Affected

Agencies are not required to notify affected individuals after any data breach has occurred. However, agencies must notify individuals when a breach has occurred that poses a significant risk of identity theft so that suitable countermeasures may be taken.

Providing notice for all data breaches is not an effective response to data breaches because:

• Notification is costly
• Counter measures, such as closing financial accounts, placing fraud alerts and obtaining new ID documents is too costly to both the public and private sector to be undertaken with every data breach
• Frequent public notices may confuse the public as to what constitutes a minor or major threat and what actions must be taken

If an agency has determined that the risk of identity theft is large enough to warrant notification, the following guidelines should be used in providing notice:

• Timing– Affected individuals must be notified at the correct time. Individuals should be notified as early as possible to allow protective measures to be implemented. However, information regarding identity theft, if released too early may exaggerate the threat, or impede an investigation. Agencies must confer with law enforcement officials to make sure that notification is made at the time appropriate to the actions that must be taken
• Source– Individuals must be given the name of the responsible party from where the breach occurred. The breach may not always occur within an agency, for instance, if an outside contractor handles the information on behalf of an agency and the breach occurred in their system. The agency still maintains liability for the information and an agency official should be cited as the contact person.
• Contents– Individuals should be told in clear, easy-to-understand terms:
  • brief description of the data breach
  • the type of information that may be compromised
  • brief description of the agency’s actions to investigate and mitigate the breach and prevent further problems in the future
  • contact information to ask questions including a toll free number, web address and postal address
  • the actions an individual should take to mitigate the threat of identity theft
• Method of Notification–Notification methods should be chosen based on how the majority of affected individuals can receive the information. A mailing address should be the primary means of communication.
• Preparing for follow-on inquiries– Agencies must be prepared to handle the volume of follow-up inquiries they may receive, especially after a public announcement. Officials may choose to delay public notice of data breaches to allow an agency adequate time to prepare a response plan for such requests.
• Preparing counterpart entities that may receive a surge in inquiries– agencies should alert other entities such as affected financial institutions or the credit bureaus if they may see a significant increase in requests due to notice of a data breach.

Summary

The Government is one of the largest consumers of personally identifiable information. As such, it is at significant risk for data breaches and unauthorized disclosure of sensitive data. In addition to implementing adequate security measures, agencies must be prepared to notify individuals when significant data breaches occur. While a data breach may be considered something of an embarrassment, agencies are required by law to report such incidents and alert affected individuals that may face significant threat of identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum, September 20, 2006: Recommendations for Identity Theft Related Data Breach Notification Guidance (II.A.c.2.i)