Executive Order 13402 commanded the creation of a Presidential Identity Theft Task Force to examine how the Federal Government could better respond to and protect against data breaches resulting in identity theft. Under Federal regulations, such as the Privacy Act of 1974 and the Federal Information Security Management Act, individuals are guaranteed the security of their data, making adequate protection of data a matter of compliance.
On May 22, 2007 the Presidential Identity Theft Task Force issued Memorandum 07-16. It required all agencies to develop and implement data breach notification policies within 120 days, as outlined by the memorandum. M-07-16 included a number of new recommendations and requirements agencies must use in creating such policies.
What is Personally Identifiable Information (PII)?
M-07-16 expanded the definition of personally identifiable information to the following: “personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as data and place of birth, mother’s maiden name, etc.”
The following are a number of requirements outlined by various attachments to M-07-16 in order to protect personally identifiable information:
Safeguarding Against the Breach of Personally Identifiable Information
Part A of Attachment I reiterated the privacy and security requirements for Federal agencies enforced under the Privacy Act, such as establishing safeguards, ensuring the integrity of data and establishing “rules of conduct” for individuals handling information. Furthermore, under the Privacy Act, agencies are require to assign risk levels to information systems according to NIST SP 800-37.
Attachment I also created the following new requirements:
Review and Reduce the Volume of Personally Identifiable Information
Agencies should conduct an initial review to identify records containing PII and ensure that the information is timely, accurate, relevant and complete. Only the information necessary for carrying out government activities should be maintained. After the initial review, the holdings of PII should be periodically review according to a public schedule
Reduce the Use of Social Security Numbers
All agencies were required to develop a plan within 120 days of the memorandum to eliminate any unnecessary collection of Social Security Numbers (SSN) within eighteen months. Furthermore agencies were also charged with the responsibility of working with other Federal agencies to create a Federal identifier separate from Social Security Numbers.
Agencies must implement the following security features to protect all Federal information, not just data containing PII:
- Require two factor authentication using separate devices when accessing information remotely
- Implement a Time-Out function requiring re-authentication after a period of inactivity on remote access and mobile devices
- Log data extracts from data files containing sensitive information and verify each extract including the destruction of sensitive data after 90 days after it is no longer in use
- Educate all individuals handling PII and have them sign a document annually stating they understand their responsibilities.
Incident Reporting and Handling
Attachment 2 of M-07-16 reviewed FISMA guidelines for the reporting of data breaches and modified several requirements.
All agencies must report incidents involving PII to the United States Computer Emergency Readiness Team regardless of whether a threat may be potential or confirmed. Reporting must take place with one hour of its detection for Category 1 incidents. Examples of Category 1 incidents include:
- An individual gaining physical or logical access to a Federal agency’s network, information system, applications, or data without authorization
- Any confirmed or potential breach of personally identifiable information regardless of how the breach occurred
Develop and Publish a Routine Use
Routine use includes all uses of data which are in line with the purposes for which data was originally collected. Effectively taking countermeasures to reduce the threat to information due to a security breach may require Federal agencies to share PII with other agencies and law enforcement officials with whom no data sharing agreement exists. To respond adequately, agencies should establish routine use policies to allow the disclosure of information without the prior consent of the individual in situations involving data breach investigations.
External Breach Notification
Attachment 3 of M-07-16 addresses how and when data breaches should be reported to affected individuals and/or the public. All agencies must develop data breach notification policies to guide officials and deciding when notification is necessary and how it should be undertaken.
Whether Breach Notification is Required
Agencies should assess the level of risk and the likelihood of the breach causing harm using the following five factors:
- Type of information compromised
- Number of affected individuals
- Accessibility and usability of the information
- Likelihood of harm occurring
- Ability of the agency to mitigate harm
Timelines of the Notification
If notification is to be undertaken, it should be carried out promptly upon discovery. Notification may be delayed, as authorized but a senior official, if notification may seriously affect law enforcement proceedings.
Source of the Notification
Notification to affected individuals should come from the head of the agency where the breach occurred. Notification for breaches affecting less than fifty people may also come from the Chief Information or Privacy Officer.
Contents of the Notification
Notice should be provide in writing and contain the following information
- Type of information compromised
- Whether the information was encrypted or similarly protected
- Steps the individual can take to mitigate harm
- Steps the agency is taking to investigate the breach, mitigate harm and protect against future incidents
- Contact information for the agency
Means of Providing Notification
Method of notification depends on the number of affected individuals and the urgency of the notification. Methods include:
- First-Class mail
- Existing Government wide services
- Newspapers and other media
- Any accommodations necessary for individuals with disabilities
Who Receives Notification
For every data breach, agencies must consider whether to provide notification to the affected individuals and/or the public. Notification to individuals should occur promptly after the need for notification has been determined. Notification to the public including the media should be carefully planned to avoid alarm or confusion. Notice should also be posted on the agencies web page when public notification occurs.
Rules and Consequences Policy:
Attachment 4 of M-07-16 set forth a new requirement. All agencies must develop and implement a Rules and Consequences policy for employees handling personally identifiable information.
The policy must outline the requirements of employees according to their level of responsibility and the type of information they handle. Employees must be aware of their responsibilities under Federal law as well as the consequences for any violations. Supervisors that fail to take disciplinary action when violations occur are also subject to penalties. The policy should address:
- The types of individuals that must comply, including employees, contractors and other individuals handling PII maintained by the Federal government
- The types of actions that constitute violations including
- Failing to maintain or implement security controls
- Accessing PII or disclosing PII to other individuals without authorization
- Failing to report suspected data breaches or unauthorized disclosures
- Failing to adequately instruct, train or supervise employees handling PII (for managers)
The Federal Government has a legal responsibility to protect the personally identifiable information is has collected from individuals. Memoranda such as M-07-16 ensure that the security of personally identifiable information remains an ongoing discussion and concern within the Federal Government.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- OMB Memorandum 07-16 (II.A.c.2.j)