The White House has made a step toward implementing in federal agencies some breach response best practices currently used in the private sector. On Jan. 3, the White House issued a memorandum (Memo) updating for the first time in almost a decade guidelines on how federal agencies should prepare for and respond to a breach of personally identifiable information. The Memo comes on the heels of a 27 percent increase (between 2013 and 2015) in the number of incidents reported by federal agencies and addresses certain “changes to laws, policies, and best practices that have emerged since the Office of Management and Budget first required agencies to develop plans to respond to a breach.”
The Memo first cites the all-too-familiar grim statistics concerning overall bad behavior in the digital privacy world. The identified bad behavior includes the familiar (e.g., identity theft and credit card fraud) and the relatively new (e.g., using stolen information to seek medical treatment and obtain prescription drugs). To address the ever-growing concern for protection in the digital world, the Memo lays out minimum agency requirements for responding to a breach, while allowing agencies to impose stricter standards at their discretion to address an agency’s particular mission and risks. As the Memo recognizes, an “effective detection and expeditious response to a breach is important to reduce the risk of harm to potentially affected individuals and to keep the public’s trust in the ability of the Federal Government…”
Substantively, the Memo mirrors the sound advice privacy practitioners have been giving their clients for some time. Importantly, agencies must develop and implement a breach response plan, and the Memo addresses certain requirements that must be included in the plan. The Memo further requires that for all persons with access to an agency’s federal information and information systems, the agency must develop training on how to identify and respond to a breach. For example, agencies must, at a minimum, annually perform tabletop exercises to test the breach response plan so that individuals who execute it are familiar with it and any weaknesses in the plan are discovered and corrected. Furthermore, agencies must ensure that when a contractor collects or maintains federal information on behalf of the agency or uses or operates an information system on behalf of the agency, minimum contract terms necessary for the agency to respond to a breach are included in contracts. There are many other requirements in the Memo, and the entire memo can be found here.
While these requirements are a step in the right direction, as most privacy practitioners know, a good response plan is only as good as the people behind it. Consequently, an important next step is the proper and regular training of those breach response team members responsible for executing the plan at the time of an actual breach.