The Pentagon has issued guidance to DoD components on considerations for making public announcements regarding breaches of private information, an issue that has been much in the mind of the federal workforce in recent months following disclosure of two major cyber hacks of personally identifiable information, or PII, held by the Office of Personnel Management.
A memo from the DoD senior official for privacy, Michael L. Rhodes, says the department “must continue its efforts to promote a culture to continuously ‘think privacy’ and act swiftly to develop and implement effective breach mitigation plans, when necessary. One challenge is that no two breaches of PII involve the exact same circumstances, personnel, systems or information. A case-by-case analysis combined with the use of best judgment is required for effective breach management.”
Specifically, it says that the determination of whether to notify individuals of a breach should be based on an assessment of the likelihood that the individual will be harmed and the impact. Harm includes not just risk such as identity theft or financial loss, it adds, but also embarrassment, inconvenience, emotional distress and loss of self-esteem.
“Components should remain cognizant of the effect that unnecessary notification may have on the public,” it adds. “Notification when there is little or no risk of harm might create unnecessary concern and confusion. Additionally, overzealous notifications … could render all such notifications less effective because consumers could become numb to them and fail to act when risks are truly significant.”