Breach Response

• Overview and Requirements
• Policies and Procedures
• Roles and Responsibilities
• Education and Outreach
• Frequently Asked Questions
• Definitions
• References

Overview and Requirements

As a result of numerous disclosures of data breaches by Federal agencies in 2006, the Office of Management and Budget (OMB) released a series of memoranda that, among various security requirements, reminded agencies of their responsibility to protect personally identifiable information (PII), and increased requirements on agencies to notify the proper authorities in the event that a breach to PII was confirmed.

In May 2007 OMB released Memorandum (M) 07-16 "Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII)." M 07-16 required every agency, among other things, to implement more stringent breach notification and response policies and procedures.

Specifically, agencies are required to:

• Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, and instruct any such person with respect to such rules and the requirements of the Privacy Act;
• Provide job-specific training for managers and employees before granting them access to agency information and information systems;
• Review existing requirements with respect to privacy and security by ensuring that current records are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the proper performance of the agency function;
• Implement more stringent policies such as reducing the volume of collected and retained information (specifically a decrease in use of SSNs) and employing heightened administrative, technical, and physical security measures;
• Implement breach notification and SSN reduction policies that address the necessity, timeliness, source, contents, means of provision, and recipients;
• Report to US-CERT when an individual gains logical or physical access without permission to a Federal agency network, system, application, data or other resource; or when there is a suspected or confirmed breach of PII regardless of the manner in which it might have occurred;
• Publish a routine use for their systems of records notices (SORNs) allowing for the disclosure of information in the course of responding to a breach of Federal data; and
• Provide a breach notification, without unreasonable delay, to the Department as well as individuals affected by the breach. The notification must include:
  • Source of the breach;
  • Brief description;
  • Date of discovery;
  • Type of PII involved;
  • A statement whether or not the information was encrypted;
  • What steps individuals should take to protect themselves from potential harm;
  • What the agency is doing to resolve the breach; and
  • Who affected individuals should contact for information.

Policies and Procedures

OMB M-07-16 issued in May 2007:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf

HHS Response to OMB M-07-16:
http://www.hhs.gov/ocio/securityprivacy/incidentmanagement/incidentresp.html

HHS Policy for Responding to Breaches of Personally Identifiable Information (PII):
http://www.hhs.gov/ocio/policy/2008-0001.003.html

NIH Breach Response Policy:
http://intranet.hhs.gov/infosec/docs/incident_mgmt/Policy_Responding_Breaches_of_PII/Policy_Breaches_of_PII_toc.htm

NIH Incident Response Team (IRT):
http://ocio.nih.gov/nihonly/irt/index.html

Roles and Responsibilities (e.g., POCs)

Please find information regarding NIH Incident Response roles and responsibilities at:
http://ocio.nih.gov/security/sec_policy.html

Education and Outreach

OCIO Information Security Training and Awareness:
http://ocio.nih.gov/security/security-communicating.htm

NIH Information Security Awareness Training:
http://irtsectraining.nih.gov/

Frequently Asked Questions (FAQs)

1. What is a security or privacy breach?

• The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.

2. What are some examples of paper and electronic breaches?

• Paper Breach:
  • Having hardcopy documents containing Personally Identifiable Information (PII) stolen from one’s desk;
  • Losing a briefcase that contained hardcopy documents containing PII; and
  • Intentionally sharing hardcopy documents that contain PII without authorization.
• Electronic Breach:
  • Unauthorized users gain access to electronic documents containing PII via sharing of passwords, leaving work station unlocked/unattended, etc;
  • PII is posted, in any format, onto the world wide web without authorization; and
  • Having a laptop containing PII lost or stolen.

3. When do I report a breach?

• You should report both suspected and confirmed record breaches as soon as they are discovered in order to begin remediation and investigation of any compromised information.

4. To whom do I report a breach?

• All employees should inform their supervisor immediately; and
• Supervisors should then notify the IC ISSO and IC Privacy Coordinator, as appropriate.
  • NIH IC ISSOs:
    http://ocio.nih.gov/security/security-isso.htm
  • NIH IC Privacy Coordinators:
    http://oma.od.nih.gov/about/contact/browse.asp

Definitions

Breach: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. (Defined in OMB Memorandum M-07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information").

Computer Security Incident: An event that may result in, or has resulted in, the unauthorized access to, or disclosure of, sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource. Examples of incidents include: unauthorized use of another user account, unauthorized scans or probes, successful and unsuccessful intrusions, unauthorized use of system privileges, and execution of malicious code (e.g., viruses, Trojan horses, or back doors). Events such as natural disasters and power-related disruptions are not generally within the scope of IRTs and should be addressed in an agency business continuity and contingency plan. (Defined in HHS IRM Policy for Establishing an Incident Response Capability).

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Defined in NIST SP 800-53, “Recommended Security Controls for Federal Information Systems).

Data (Business) Owner: The authority, individual, or organization that has original responsibility for the data by statute, executive order, or directive. (Defined in the HHS Information Security Program Policy).

HHS Breach Response Team: Reviews and evaluates initial breach information that has been reported by an OPDIV. Upon receiving the initial notification, the HHS BRT evaluates the suspected or confirmed breach and conducts an initial breach assessment to determine whether the breach response should be led at the OPDIV level or if HHS BRT leadership is required to adequately manage the risk of the suspected or confirmed breach. The HHS BRT also evaluates an OPDIV’s risk assessment and response plan for addressing a breach. The HHS BRT may provide further guidance to the OPDIV and re-evaluate whether the HHS BRT should lead response activities. (Defined in Secure One HHS "Personally Identifiable Information Breach Response Team Standard Operating Procedures").

System: A collection of computing and/or communications components and other resources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected. (Defined in NIST SP 800-16, Appendix C.).

Personal Digital Assistant: A multi-purpose, handheld device that serves as a personal computer. Personal digital assistants have the capability to access the worldwide web (internet, intranet, or extranets) and can store large amounts of information (e.g., text files, contact information, emails, spreadsheets, music, survey responses). Such devices often employ phone technologies as well.

Personally Identifiable Information: Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB Memorandum M-06-19, "Reporting Incidents Involving Personally Identifiable Information & Incorporating Cost for Security in Agency Information Technology Investments").

Note: The acronyms of PII and Information in Identifiable Form (IIF) are often used interchangeably.

Privacy Act System of Records Notice (SORN): All systems with Privacy Act information contained within them are required to publish a “Records Notice” in the Federal Register that informs the public what information is contained in the system, how it is issued, how individuals may gain access to information about themselves, and other specific aspects of the system. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability; and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to:

• Unauthorized (malicious or accidental) disclosure, modification, or destruction of information;
• Unintentional errors and omissions;
• IT disruptions due to natural or man-made disasters; or
• Failure to exercise due care and diligence in the implementation and operation of the information system.

(Defined in NIST SP 800-30, "Risk Management Guide for Information Technology Systems," Appendix E).

Risk Assessment: The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses. (Defined in NIST SP 800-53, Section E).

Senior Agency Official for Privacy: An individual selected by the Department of Health and Human Services (HHS) to have agency-wide oversight in implementing and ensuring compliance with privacy legislation. (Defined in OMB Memorandum M-05-08, "Designation of Senior Agency Officials for Privacy").

Sensitive Information: Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Further, the loss of sensitive information confidentiality, integrity, or availability might: (i) cause a significant or severe degradation in mission capability to an extent and duration that the organization is unable to perform its primary functions; (ii) result in significant or major damage to organizational assets; (iii) result in significant or major financial loss; or (iv) result in significant, severe or catastrophic harm to individuals that may involve loss of life or serious life threatening injuries. (Defined in HHS Memorandum ISP-2007-005, "Departmental Standard for the Definition of Sensitive Information").

System: A collection of computing and/or communications components and other resources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected. (Defined in NIST SP 800-16, Appendix C.).

System Development Life Cycle (SDLC): A software development process that is used by a systems analyst to develop and maintain an information system. This process includes five system phases: Initiation, acquisition/development, implementation/assessment, operation/maintenance, and disposition. (Defined in NIST SP 800-34, Appendix E.).

Threat: Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (Defined in NIST SP 800-53, Section E).

United States Computer Emergency Response Team (US-CERT): A partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. (Defined on US-CERT website).

References

Privacy Act of 1974 (5 U.S.C. Section 552a, as amended):
http://www.usdoj.gov/oip/privstat.htm
http://www.usdoj.gov/oip/04_7_1.html

OMB Memorandum M-05-08, "Designation of Senior Agency Officials for Privacy,":
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-08.pdf

OMB M-06-15 issued in May 2006:
http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf

OMB M-06-16 issued in June 2006:
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

OMB Memorandum, "Recommendations for Identity Theft Related Data Breach Notification,":
http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf

OMB M-06-19 issued in July 2006:
http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf

OMB M-07-16 issued in May 2006:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf

OMB M-08-09 issued in January 2008:
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-09.pdf

US-CERT:
http://www.us-cert.gov/

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, "Risk Management Guide for Information Technology Systems,":
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems,":
http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, "Computer Security Incident Handling Guide,":
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf

HHS Incident Management and Response Website:
http://www.hhs.gov/ocio/securityprivacy/incidentmanagement/incidentresp.html

HHS Secure One Incident Management Website:
http://intranet.hhs.gov/infosec/incident_management.html

HHS Policy for Responding to Breaches of Personally Identifiable Information (PII):
http://www.hhs.gov/ocio/policy/2008-0001.003.html

HHS: Breach Response Team Charter:
http://intranet.hhs.gov/infosec/docs/incident_mgmt/Breach_Response_Team_Charter/Breach_Response_Team_Charter_toc.htm

HHS IRM Policy for Establishing an Incident Response Capability:
http://www.hhs.gov/ocio/policy/2000-0006.html

HHS Information Security Program Policy:
http://intranet.hhs.gov/infosec/docs/policies_guides/ISPP/isp_toc.htm

HHS Response to OMB M-07-16:
http://www.hhs.gov/ocio/securityprivacy/hhs_response_plan_to_m0716_070919_new.pdf

HHS Memorandum ISP-2007-005, “Departmental Standard for the Definition of Sensitive Information,”:
http://intranet.hhs.gov/infosec/policies_memos.html

NIH Office of the Chief Information Officer:
http://ocio.nih.gov

NIH Encryption Web Page:
http://ocio.nih.gov/security/HHS_Encrypt_Policy_Guidance_Tools.html

NIH ISSO Corner:
http://ocio.nih.gov/security/security-isso.htm

NIH IT Incident Response and Prevention:
http://ocio.nih.gov/security/security-isso.htm

Return to the top