OMB Breach Notification Policy
Office of Management and Budget (OMB) has released several memoranda describing breach notification requirements for federal agencies
- most recent in 2017
- states that agencies must create a plan for notifying individuals who might be potentially affected by a breach impacting the agencies’ IT systems
- OMB defines a breach as the “loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or similar occurrence” where unauthorized individuals access PII
- can include instances where an authorized individual accesses PII for a reason that is not authorized or allowed
Current Guidance
- agencies must review the data disclosed in a breach
- determine the number of individuals affected by the breach
- consider the likelihood that the data is usable by unauthorized individuals
- and assess the risk of harm to the people whose data is disclosed
Considering Whether to Disclose
- An agency has discretion about whether they will notify people about a breach of their PII
- they must consider:
- Source of the notification
- highest-ranking agency official should notify people who are affected by the breach
- Time for notification
- must notify the people affected by the breach without delay
- may delay notice only for law enforcement or national security reasons
- Contents of the notice
- include a description of the breach and the type of data disclosed
- include information on how people can protect themselves from having their data used by unauthorized individuals
- describe what the agency is doing to mitigate the breach
- Means of providing the notice
- must consider how to give notice to the people affected by the breach
- how they will give notice to individuals who are visually or hearing impaired
- Source of the notification
- they must consider: