Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

Agencies must review their current holdings of all personally identifiable information and, "to the maximum extent practicable," ensure that the information is accurate, relevant, timely and complete. Agencies must then take steps to reduce the amount of personal information they retain to "the minimum necessary for the proper performance of a documented agency function."

Key Components of Federal Breach Notification Policies

1.        Form of Information - The OMB policy covers personal information in both paper and electronic form.

2.        Definition of Personal Information - Personal Information is defined broadly as information that can be used to distinguish or trace an individual's identity. The context in which a particular piece of information is located is crucial to deciding whether its loss is significant. For example, a list of office phone numbers and other personal contact information would not likely be considered "sensitive," but if the same information was included in the database of a clinic that treated a contagious disease, it probably should be deemed sensitive.

3.        When to Give Notice? - In deciding whether to give notice to individuals or others outside the government, OMB directed agencies to evaluate numerous factors:

• types of harms that might stem from a breach, including financial harm, harm to an individual's reputation and the potential for harassment or prejudice;
• the nature of the data that was breached and whether it poses a low, moderate or high risk of harm based on the type of data as defined by the National Institute of Standards and Technology (NIST);
• the number of individuals affected;
• the likelihood that the data is accessible and usable;
• the likelihood that harm will occur; and
• the ability of the agency to mitigate the risks of harm.

Notification should be made without unreasonable delay following the discovery of a breach consistent with the needs of law enforcement and national security. Notification should not be delayed if the delay would "exacerbate risk or harm to any affected individual.

4.        Method of Notification - Notification of individuals by first class mail is preferred, but telephone notice concurrent with written notice may be appropriate if the risks of harm from the breach are high. Notice by e-mail, and by posting announcements on an agency's Web site and in the news media should also be considered.  

5.       Breach Response Preparedness - The OMB memo said that agencies should modify their Privacy Act system of records regulations to allow them to share information in the event of a breach. The change is necessary because the very type of information that is protected by the Privacy Act is often the kind of personally identifiable information that would give rise to notification requirements if it is breached.

6.        Data Security Measures - Agencies should undertake data security initiatives to help minimize the possibility of a data breach, including:

• reducing the volume of collected and retained information to the minimum necessary;
• limiting access only to those individuals who must have such access; and
• using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals.

7.      Disciplining Employees - Agencies must develop rules of behavior concerning the handling of personal information by agency employees and to put in place corrective actions for failure to follow those rules. The minimum disciplinary action agencies should consider for employees who demonstrate an egregious disregard for or a pattern of errors regarding the protection of personal information should be the prompt removal of their access rights to such information. Agencies must provide adequate data security training to employees before holding them accountable under the new codes of behavior.