Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals potentially affected by a breach,” and to provide “guidance on whether and how to provide notification and services to those individuals.” The implementation of common federal agency standards and processes is oriented to not only streamline the way agencies deal with the release of PII, but to also ensure that the federal government is capable of handling data breaches in an effective and efficient manner.
Among the more notable requirements in the guidelines are those imposed on federal contractors who collect or maintain federal information, or who use or operate information systems on behalf of a federal agency. The OMB outlines terms for agencies to incorporate into federal contracts and cooperative agreements, including requiring that contractors and subcontractors:
- Exchange information with agencies and permit inspection to ensure compliance with contractual requirements, execute the agency’s breach response plan, and assist with responding to a data breach
- Report both confirmed and suspected data breaches to the federal agency occurring in any medium, including paper, oral, or electronic disclosures
- Encrypt PII to comply with OMB Circular A-130 and undertake any other protections of PII outlined in agency-specific policies
- Train contractor or subcontractor personnel in breach identification and reporting
- Maintain capabilities to determine what federal information was or could have been accessed and by whom, to construct user activity timelines, to determine the methods of accessing federal information, and to identify an initial attack vector
The agencies are given significant discretion to direct their contractors’ actions in the event of a breach, and can also require contractors to notify individuals who may be affected by a breach and take measures to mitigate the risk of harm to affected individuals.
Companies doing business with the federal government will want to review their information security policies and incident response plans for compatibility with the new OMB guidelines. Importantly, the new guidelines differ in some important respects from state laws on data breach notification that are commonly reflected in response policies. For example:
- Definition of PII: The OMB guidelines define PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” This is significantly broader in scope than the definition of PII generally applied in state laws, where PII is usually confined to a person’s name in combination with a sensitive data element, such as a Social Security Number, driver’s license number, or financial account number.
- Medium of Disclosure: The OMB guidelines cover data breaches in any medium, including oral disclosures, while the state laws typically apply to electronically stored information, and sometimes paper documents. Employee training and company policies on confidentiality may need to be updated to clarify the scope of reporting requirements for unauthorized disclosures.
- Notification Trigger: According to the OMB memorandum, agency heads have final decision-making authority (subject to other laws and requirements) to report a confirmed or suspected data breach to US-CERT, law enforcement, Congress, or affected individuals. Although the likelihood of harm to an individual and other factors are supposed to be taken into consideration, the OMB guidelines do not have an automatic “trigger” for notification, like state laws do. This may put pressure on contractors reporting an incident to quickly “provide all the pertinent facts” to the relevant agency so an accurate, timely and defensible decision on notification can be made by the agency.
The OMB directs the Federal Acquisition Regulatory (FAR) Council to develop contract clauses, and the DHS to update the US-CERT Incident Notification Guidelines to implement the measures outlined in the Memorandum. In the coming months, industry will likely have an opportunity to comment on these guidelines as they make their way through the regulatory process. In the meantime, businesses that do business with the federal government should review their information security and incident response programs, and the timelines they face for federal contract formation and/or renewal. Reed Smith will continue to monitor data security and privacy developments for federal agencies and contractors in this area.