OMB Publishes Memo on Risk-Based Breach Response

    Feb 08, 2017

    The Obama administration left behind an Office of Management and Budget (OMB) memo advising federal agencies to take a risk-based approach to preparing for and responding to data breaches, according to media sources.

    The January 3 OMB “Breach Memorandum” to federal agencies’ senior privacy officials outlined a “framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach as well as guidance on whether and how to provide notification and services to those individuals.”

    The memo updates OMB’s breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (FISMA).

    Although aimed at agencies, official OMB guidance also carries weight in the private sector. The endorsement of a risk-based approach is an acknowledgment that breaches are inevitable and resources should be directed at where the risk of breaches are more likely, Bloomberg BNA said. In addition, the report supports efforts to limit breach notices.

    Jim Halpert, a partner with DLA Piper LLP in Washington and co-chair of the firm’s Global Data Protection, Privacy and Security practice, told Bloomberg BNA that the memo “sets out a much more searching and thorough approach to breach notice and preparation for data breaches than previously applied across federal government agencies.”

    Lisa M. Ropple, a cybersecurity partner at Jones Day in Boston, told Bloomberg BNA that “this risk-based framework, which is consistent with National Institute of Science and Technology standards and cybersecurity industry best practices, reflects an appreciation of the reality that not all incidents warrant the same response.”

    According to Ropple, “Virtually every step of the breach response protocol – from determining whether an incident involved personally identifiable information (PII), to deciding whether to convene the agency’s breach response team – depends on an assessment of the risk presented by the unique facts and circumstances of the breach.”

    Paul Tiao, partner in the Global Privacy and Cybersecurity Practice at Hunton & Williams LLP and former senior counselor for cybersecurity to the FBI director, said that the “OMB memo will hopefully lead to better incident response plans and the consistent use of best practices across the government when federal agencies and contractors have been breached and PII compromised.”

    Cybersecurity experts say effective breach response is a big challenge, and it’s critical to have in place breach response plans that work. According to Halpert, the memo “applies a complex balancing test that agencies will need to consider in deciding how to respond to a data breach.”

    The OMB memo said that in the modern “information-driven economy,” federal agencies deal with “unprecedented volumes of PII,” ranging from names, addresses, and dates of birth to Social Security numbers, geolocation information, medical history, and biometric data. The federal government is expected to protect the sensitive PII, and one of the most important challenges for government agencies is protecting their information technology systems and networks from cybersecurity threats.

    Federal IT systems are increasingly becoming targets of cyberattacks by hackers wishing to sell or trade stolen PII. Between fiscal years 2013 and 2015, the number of cybersecurity incidents reported by federal agencies increased 27%, according to the OMB memo.

    According to the memo, the risk of harm to individuals resulting from compromised PII have generally been categorized in terms of financial harm or stolen identity. However, hackers use stolen PII for various purposes, including seeking employment, traveling across international borders, obtaining prescription drugs, and other criminal activities.

    The memo also includes a section on notification timing that acknowledges the risk of providing notice too quickly after discovering a breach. It suggests avoiding multiple notification of a single event, and suggests agencies should assess “whether and when to notify individuals potentially affected by a breach.” Agencies should “balance the need for transparency with concerns about over-notifying individuals” as notifications may not always be helpful.

    According to the Hunton Privacy Blog, the memo notes the importance of breach response and awareness training, and it emphasizes key provisions to include in agency contracts to require contractors to 1) encrypt PII in accordance with OMB and agency-specific guidelines; 2) report breaches to the relevant agency as soon as possible; and 3) cooperate with any forensic investigation and analysis. With respect to breach reporting, the memo instructs each agency to set up a simple e-mail address, such as breach@[agency].gov, for individuals to use to report suspected or confirmed breaches.

    After a breach, agencies should track and document the response to each breach using a standard internal reporting template and identify any lessons learned. In addition, on an annual basis, the senior privacy officer and the agency must: 1) conduct a tabletop exercise; 2) review the breach response plan and consider potential updates; and 3) submit an annual FISMA report on the adequacy of the agency’s information security policies and procedures.


    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International