OMB in memo M-17-12 has set policies for agencies on preventing and responding to breaches of personally identifiable information, which it said is “intended to promote consistency in the way agencies prepare for and respond to a breach by requiring common standards and processes” while providing agencies flexibility “to tailor their response to a breach based upon the specific facts and circumstances of each breach and the analysis of the risk of harm to potentially affected individuals.”
The memo includes a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach, as well as guidance on whether and how to provide notification and services to those individuals.
It covers matters such as: defining what information is affected and what constitutes a breach; training and awareness campaigns; what agencies should do to prepare for a breach, including steps such as identifying logistical and technical support available and contractor and grantee requirements; reporting a suspected or confirmed breach; having a breach response plan to include a response team, information-sharing, and assessing the risk of harm to individuals and steps to mitigate that harm; notifying individuals potentially affected; tracking and documenting the response; and post-response reporting.
Those are minimum requirements, it added, and agencies may impose stricter standards.