A Breach Notification Requirement for Feds, Sort Of

Most of the press accounts about a security and privacy memo that the Office of Management and Budget issued this month focused on OMB's request that agencies reduce the use of Americans' Social Security numbers as much as possible.

The memo, written by OMB Deputy Director for Management Clay Johnson, also gave agencies 120 days to come up with a security breach notification policy. That particular issue has been a sore point for privacy and security advocates.

The memo had four attachments to guide agencies when creating a notification policy. The memo stated:

In formulating a breach notification policy, agencies must review their existing requirements with respect to Privacy and Security (see Attachment 1). The policy must include existing and new requirements for Incident Reporting and Handling (see Attachment 2) as well as External Breach Notification (see Attachment 3). Finally, this document requires agencies to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information (see Attachment 4).

Both federal and state governments have been criticized for not developing security breach notification policies while they either have passed legislation or are considering bills that require the private sector to do so.

Johnson also suggests to agencies that the "greatest benefit" in dealing with security breaches is to be proactive by "reducing the volume of collected and retained information to the minimum necessary; limiting access to only those individuals who must have such access; and using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals."

Just two months ago, the Cyber Security Industry Alliance criticized President Bush's Identity Theft Task Force for not recommending in its report that agencies be required, as is the private sector, to notify individuals whose private data may have been stolen or compromised during a security breach.

Johnson's memo lays out five factors -- with a number of vague contingencies -- that agencies consider to determine the level of risk that a particular security breach poses to personal data before notifying the public, including considering the sensitivity of the data elements in their context and how likely the data was stolen or breached.

Hat tip: ComputerWorld