Privacy Incidents and Breach Response
Overview
In January 2017, OMB Memorandum M-17-12 “Preparing for and Responding to a Breach of Personally Identifiable Information” required every agency, among other things, to implement more stringent breach notification and response policies and procedures.
Let the OSOP know if:
- The compromised system or lost/stolen equipment contained NIH data;
- A compromised account had access to NIH data;
- If the data was personally identifiable or sensitive in nature;
- If the data/equipment/device was encrypted;
- Data elements involved in loss/theft (name, SSN, DOB, race, gender, medical record number, biometric identifier, photo, etc.);
- Number of individuals potentially affected;
- Types of controls in place to mitigate risk;
- Level of risk to agency and individual.
Contact us using the information on the top right of this page so that a breach response plan and/or letter to notify individuals of the breach of PII/Sensitive Information (SI) can be prepared (if required).
Privacy Incident
A privacy incident is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, or SI, whether physical or electronic.
Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual’s identity, such as their name, SSN, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” PII is protected by the provisions of the Privacy Act if the record in which it is located is under the control of an agency and is contained in an authorized system of records retrieved by a personal identifier.
Sensitive Information (SI): Information for which the loss, misuse, or unauthorized access could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act). Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Privacy Breach
A breach is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.
To report lost or stolen NIH data (PII, or SI) or equipment (i.e. laptop/tablet, digital camera, USB drive, Blackberry, cell phone), contact the NIH IT Service Desk within one (1) hour of the discovery of the loss/theft:
Phone Number: (301) 496-HELP (4357)
Toll Free Number: (866) 319-4357
TTY: (301) 496-8294
Visit the
Incident Response Team (IRT) Portal to create an incident report.
Email Security
The NIH E-mail System is not secure! PII distributed or communicated by email must be encrypted whether the PII is within an attachment or part of the actual message. This applies to email distributed with the NIH network or on the Internet.
- If the recipient of the email is within the HHS community, employees/contractors can use their HHS ID to encrypt the email by inserting the PIV card into the computer's smart card reader.
- For both NIH and non-NIH recipients, data can be protected using the
NIH Secure Email and File Transfer (SEFT) service.
Personally-Owned Equipment (POE) and Software
The use of personally-owned or non-NIH equipment and/or software to store PII or sensitive government data is not permitted. POE and software includes, but is not limited to, personal computers and related equipment (e.g., wireless laptops, printers, USB drives) and software, personal e-mail providers (e.g., Yahoo!, Hotmail, Gmail), personal library resources, hand-held and personal digital assistant (PDA) devices, facsimile machines and photocopiers. POE and software cannot be physically connected to, or installed on, NIH systems or networks without written authorization from the IC Chief Information Officer.
Additional Reference
HHS Cybersecurity ProgramNIH Guide for Handling Sensitive InformationNIH Incident Response Team (IRT) Portal
NIH Sensitive Information and Encryption Resource CardNIH EncryptionNIH PKI Quick Reference GuideFTC OnGuard OnlineFTC Identity TheftPrivacy Incident Management - Reference Sheet Scenario Examples
Privacy Program
Privacy Program Laws, Policies, and MemorandaPrivacy ActPrivacy Impact Assessments (PIAs)Privacy Incidents and Breach ResponseSocial Media and Web ManagementTraining ResourcesPrivacy Program FAQs
Privacy Program GlossaryPrivacy Program Laws & ReferencesIC Privacy Coordinators