Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007.  The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII).   In addition to setting forth requirements for federal agencies to prepare for and respond to breaches, the policy also includes required contractual terms regarding breach preparedness and response for certain federal contractors.

The policy states that the contractual requirements should be inserted into any contract, cooperative agreement or other similar instrument where the contractor collects or maintains PII, or uses or maintains an information system, on behalf of the Government.  Contractors subject to these provisions will be required to:

  • Encrypt PII in accordance with OMB guidance and any agency-specific requirements;
  • Conduct regular training for contractor employees on how to identify and report a breach;
  • Report breaches (including breaches of hard-copy information) as soon as possible and without unreasonable delay;
  • Maintain capabilities to track access to information (including the time of access and the identity of the party accessing the information), construct a timeline of activity, and identify attack vectors;
  • Cooperate with the agency, including any necessary exchange of information, in order to effectively report and manage a suspected breach;
  • Allow for inspection, investigation, forensic analysis, and any other necessary actions to comply with the policy; and
  • Identify roles and responsibilities consistent with the policy and with the agency’s breach response plan.

The contract must also state that a breach, by itself, shall not be interpreted as evidence of a failure to provide adequate safeguards for PII.  The policy notes that an agency may include provisions that require a contractor to provide notification to affected individuals and take measures to mitigate risks to those affected individuals, but does not require such a provision in all agreements.

The memorandum also requires agencies to ensure that entities that have access to PII in relation to a federal grant have “procedures in place to respond to a breach and include terms and conditions requiring the recipient to notify the Federal awarding agency in the event of a breach.”

In addition to the contractual requirements outlined above, the policy also sets forth minimum requirements for agencies to prepare for and respond to breaches.  The policy requires agencies to develop and implement a breach response plan and describes the required elements of such a plan, including the identification of the members of a breach response team, plans for providing any appropriate notification, and procedures for risk assessment and mitigation.  According to the policy, agencies must hold annual tabletop exercises and conduct an annual review of the breach response plan.  The policy also states that agencies should arrange for appropriate logistical and technical support, such as forensic experts or call center support, in advance of a breach.

The policy applies to all breaches, regardless of medium (including hard-copy information), and specifically notes that individuals should report any suspected breaches and should not wait for confirmation of a breach to report it.  Once a breach has been reported, the policy states that the agency should respond in accordance with its breach response plan.  The policy requires agencies to comply with applicable breach notification requirements, but notes that agencies should balance the need for transparency against the dangers of over-notification in determining whether providing notification would benefit the affected individuals.

The policy also requires agencies to track and document all breach responses.  In furtherance of this requirement, an appendix to the policy includes a model internal reporting template to track breaches and any notifications provided as a result.  If the agency reports a breach to Congress, the policy requires the agency to convene its breach response team to review its response to the breach and any “lessons learned” as a result of the response.

Per the policy, agencies must submit an updated breach response plan that complies with the policy within 180 days of the policy’s issuance on January 3rd.  Contractors that handle PII on behalf of agencies, or use or maintain agency information systems, should prepare to comply with new breach-related contractual provisions in accordance with the policy’s requirements for certain federal contracts.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.