On January 3, 2017, the Obama Administration issued a memorandum to all executive departments and agencies setting for a comprehensive policy for handling breaches of personally identifiable information (the “Memorandum”), replacing earlier guidance. Importantly, the Memorandum also affects federal agency contractors as well as grant recipients.
The Memorandum is not the first set of guidance to federal agencies and departments for reporting breaches of personally identifiable information (PII), but it establishes minimum standards going forward (agencies have to comply within 180 days from the date of the Memorandum). The Memorandum makes clear that it is not setting policy on information security, or protecting against malicious cyber activities and similar activities; topics related to the recent fiery debates concerning the 2016 election results and Russian influence.
The Memorandum sets out a detailed breach response policy covering topics such as preparedness, establishing a response plan, assessing incident risk, mitigation, and notification. For organizations that have not created a comprehensive breach response plan, the Memorandum could be a helpful resource, even for those not subject to it. But it should not be the only resource.
Below are some observations and distinctions worth noting.
- PII definition. Unlike most state breach notification laws, the Memorandum defines PII broadly: information that can be used to distinguish to trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. So, for example, the notification obligation for a federal contractor will not just apply if Social Security numbers or credit card numbers have been compromised.
- Breach definition. Breaches are not limited phishing attacks, hackings or similar intrusions. They include lost physical documents, sending an email to the wrong person, or inadvertently posting PII on a public website.
- Training. Breach response training must be provided to individuals before they have access to federal PII. That training should advise the individuals not to wait for confirmation of a breach before reporting to the agency. A belief (or hope) that one will find that lost mobile device should not delay reporting.
- Required provisions in federal contracts. Federal contractors that collect or maintain federal PII or use or operate an information system for a federal agency must be subject to certain requirements by contract. The Memorandum requires agencies to update their contracts with contractors to ensure the contracts contain certain provisions, such as requiring contractors to (i) encrypt PII in accordance with OMB Circular A-130, (ii) train employees, (iii) report suspected or confirmed breaches; (iv) be able to determine what PII was or could have been accessed and by whom, and identify initial attack vectors, and (v) allow for inspection and forensic analysis. Because agencies must ensure these provisions are uniform and consistent in all contracts, negotiation will be difficult. The Federal Acquisition Regulatory Council is directed to work the Office of Management and Budget to promptly develop appropriate contract clauses and regulatory coverage to address these requirements.
- Risk of harm analysis. Agencies will need to go through a complex risk of harm analysis to determine the appropriate breach response. Notably, encryption of PII is not an automatic exception to notification.
- Notification. The rules for timing and content of breach notification are similar to those in many of the state breach notification laws. The Memorandum also advises agencies to anticipate undeliverable mail and to have procedures for secondary notification, something not clearly expressed in most state notification laws. The Memorandum also suggests website FAQs, which can be more easily updated and tailored. Agency heads have ultimate responsibility for deciding whether notify. They can consider over-notification and should try to provide a single notice to cover multiple notification requirements. They also can require contractors to provide notification following contractor breaches.
- Tabletop Exercises. The Memorandum makes clear that testing breach response plans is essential and expressly requires that tabletop exercises be conducted at least annually.
Federal contractors and federal grant recipients that have access to federal PII will need to revisit (or develop) their own breach response plans to ensure they comply with the Memorandum, as well as the requirements of the applicable federal agency or department which can be more stringent. Of course, those plans must also incorporate other breach response obligations the organizations may have, whether those obligations flow from other federal laws (e.g., HIPAA), state laws, or contracts with other entities. Putting aside presidential politics, cybersecurity threats are growing and increased regulation, enforcement and litigation exposure is likely.