DHS Advisory Group Approves Data Breach Notification Best Practices


Advisers wanted to ensure the notifications aren’t mistaken for phishing attempts.

A Homeland Security Department advisory committee approved a set of best practices Tuesday for DHS agencies notifying employees, citizens or others about a data breach that’s compromised their personal information.

An earlier draft of the best practices document essentially urges agencies to seek a balance in their notification procedures: Move quickly to comply with legal requirements and to give people affected by the breach ample opportunity to take defensive measures but not so quickly you’re providing unclear or even false information. Notify people who may be harmed by a breach, but beware of “overnotification” to the point people stop taking notices seriously.

Members of DHS’ Data Privacy and Integrity Advisory Committee lightly edited the draft document during a phone conference Tuesday. Committee members added language about helping breach notice recipients verify the notice itself isn’t a phishing scam seeking their personal information.

They also added language highlighting federal requirements to ensure notices are accessible to people with disabilities or who don’t speak English.

DHS’ privacy office began work on the best practices guide in the wake of the Office of Personnel Management breach, which compromised sensitive security clearance information about more than 20 million current and former federal employees and their families.

The document follows breach notification guidelines created by several federal agencies and a formal guidance document from the Office of Management and Budget released in January.