White House Revamps Data Breach Response Guidance
01/06/17 – Law360 reports that the White House has laid out updated parameters for federal agencies to follow when preparing for and responding to data breaches.
The guidance also addresses compliance with a federal statute relating to the disclosure of the personal information.
Prompted by advances in technology and the cyberthreat landscape during the past decade, the White House’s Office of Management and Budget issued revamped versions of M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and Circular A-108, which details federal agencies’ responsibility for reviewing, reporting and publication under the Privacy Act of 1974.
Both documents are intended to reflect changes to laws, policies and best practices that have emerged in recent years. The breach guidance was last updated in 2007, while the Privacy Act policy had its most recent review in 2000.
According to OMB, the breach policy sets out a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach, as well as guidance on whether and how to provide notification and services to those individuals.
The updated breach guidance directs federal agencies to develop training for all individuals with access to the agency’s information systems on how to identify and respond to a breach, with annual training being a “baseline” and specialized training being offered as necessary; to ensure that they have the appropriate terms in place when drafting contracts with third parties that maintain or collect information on their behalf, including requiring contractors to exchange information about a breach with federal officials and encrypt personal data; and to identify logistical and technical support to respond to a breach.