Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007.  The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII).   In addition to setting forth requirements for federal agencies to prepare for and respond to breaches, the policy also includes required contractual terms regarding breach preparedness and response for certain federal contractors.

The policy states that the contractual requirements should be inserted into any contract, cooperative agreement or other similar instrument where the contractor collects or maintains PII, or uses or maintains an information system, on behalf of the Government.  Contractors subject to these provisions will be required to:

  • Encrypt PII in accordance with OMB guidance and any agency-specific requirements;
  • Conduct regular training for contractor employees on how to identify and report a breach;
  • Report breaches (including breaches of hard-copy information) as soon as possible and without unreasonable delay;
  • Maintain capabilities to track access to information (including the time of access and the identity of the party accessing the information), construct a timeline of activity, and identify attack vectors;
  • Cooperate with the agency, including any necessary exchange of information, in order to effectively report and manage a suspected breach;
  • Allow for inspection, investigation, forensic analysis, and any other necessary actions to comply with the policy; and
  • Identify roles and responsibilities consistent with the policy and with the agency’s breach response plan.

The contract must also state that a breach, by itself, shall not be interpreted as evidence of a failure to provide adequate safeguards for PII.  The policy notes that an agency may include provisions that require a contractor to provide notification to affected individuals and take measures to mitigate risks to those affected individuals, but does not require such a provision in all agreements.

The memorandum also requires agencies to ensure that entities that have access to PII in relation to a federal grant have “procedures in place to respond to a breach and include terms and conditions requiring the recipient to notify the Federal awarding agency in the event of a breach.”

In addition to the contractual requirements outlined above, the policy also sets forth minimum requirements for agencies to prepare for and respond to breaches.  The policy requires agencies to develop and implement a breach response plan and describes the required elements of such a plan, including the identification of the members of a breach response team, plans for providing any appropriate notification, and procedures for risk assessment and mitigation.  According to the policy, agencies must hold annual tabletop exercises and conduct an annual review of the breach response plan.  The policy also states that agencies should arrange for appropriate logistical and technical support, such as forensic experts or call center support, in advance of a breach.

The policy applies to all breaches, regardless of medium (including hard-copy information), and specifically notes that individuals should report any suspected breaches and should not wait for confirmation of a breach to report it.  Once a breach has been reported, the policy states that the agency should respond in accordance with its breach response plan.  The policy requires agencies to comply with applicable breach notification requirements, but notes that agencies should balance the need for transparency against the dangers of over-notification in determining whether providing notification would benefit the affected individuals.

The policy also requires agencies to track and document all breach responses.  In furtherance of this requirement, an appendix to the policy includes a model internal reporting template to track breaches and any notifications provided as a result.  If the agency reports a breach to Congress, the policy requires the agency to convene its breach response team to review its response to the breach and any “lessons learned” as a result of the response.

Per the policy, agencies must submit an updated breach response plan that complies with the policy within 180 days of the policy’s issuance on January 3rd.  Contractors that handle PII on behalf of agencies, or use or maintain agency information systems, should prepare to comply with new breach-related contractual provisions in accordance with the policy’s requirements for certain federal contracts.