In the wake of the Veterans Affairs data security breach, the Office of Management and Budget has sent a memo to agency chief information officers reminding them of policy regarding the reporting of unauthorized releases of data containing personal information. The three-week delay between when the computer equipment was lost in the VA case and when the breach was reported publicly was one of the aspects of that affair that most angered potentially affected individuals, as well as many members of Congress.
The Federal Information Security Management Act of 2002 requires all agencies to report security incidents to a federal incident response center (US-CERT) in the Department of Homeland Security. The reporting procedures require agencies to report according to various timeframes based on type of incident. The memo revises those reporting procedures to now require agencies to report all incidents involving personally identifiable information within one hour of discovering the incident.
Agencies were told not to distinguish between potential and actual breaches of security, it said, and US-CERT will forward all agency reports to the appropriate Identity Theft Task Force point-of-contact also within one hour of notification by an agency.
The memo is here: http://www.cio.gov/documents/Reporting_Incidents_Involving_Personally_Identifiable_Information.pdf
