On March 29 the FTC published a proposed new routine use, (72 Fed. Reg. 14814, 3/29/07), that would allow FTC records governed by the Privacy Act to be disclosed to “appropriate” persons and entities when reasonably necessary to respond and prevent, minimize, or remedy harm resulting from a U.S. government agency data breach or compromise.
Read through the proposal. If this is something that concerns you or is something that you think needs to be beefed up, act quickly to meet their public comments deadline of April 30, 2007. I’m not including the addresses for the contact here, but you can go to the link above to get all that information.
What will be key, but also what has been lacking in the past with regard to implementing such laws, is ensuring sound and consistently enforced procedures are in place to protect the personally identifiable information (PII) being disclosed, putting a process in place to ensure the PII is properly secured while being used by these other “agencies, entities, and persons,” and that the disclosed copies of PII are appropriately destroyed when the investigation is complete. This rarely happens in typical PII-sharing situations.
Improving breach response within government agencies is definitely needed; but the PII that will be shared with others involved needs to be safeguarded to ensure a subsequent privacy breach does not occur as a result of an incident within the entities with whom it was shared.
Here are excerpts from the proposal:
“SUMMARY: The FTC proposes to adopt a new routine use that would permit disclosure of FTC records governed by the Privacy Act when reasonably necessary to respond and prevent, minimize, or remedy harm that may result from an agency data breach or compromise.
DATES: The deadline for public comments is April 30, 2007. Comments received after that date will be considered at the FTC’s discretion.”
“SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, this document provides public notice that the FTC is proposing to adopt a new ‚Äò‚Äòroutine use‚Äô‚Äô that will apply to all FTC records systems covered by the Privacy Act of 1974. The Act applies to agency systems of records about individuals that the agency maintains and retrieves by name or other personal identifier, such as its personnel and payroll systems and certain other FTC records systems. A list of the agency’s current Privacy Act records systems can be viewed on the FTC’s Web site at: http://www.ftc.gov/foia/listofpasystems.htm. The new routine use would be added to Appendix 1, which describes routine uses that apply globally to all FTC Privacy Act records systems. See 57 FR45678 (1992), http://www.ftc.gov/foia/sysnot/appendix1.pdf.
This new routine use is needed in order to allow for disclosure of records to appropriate persons and entities for purposes of response and remedial efforts in the event of a breach of data contained in the protected systems. This routine use will facilitate an effective response to a confirmed or suspected breach by allowing for disclosure to individuals affected by the breach, in cases, if any, where such disclosure is not otherwise authorized under the Act.
This routine use will also authorize disclosures to others who are in a position to assist in response efforts, either by assisting in notification to affected individuals or otherwise playing a role in preventing, minimizing, or remedying harms from the breach.
The Privacy Act authorizes the agency to adopt routine uses that are consistent with the purpose for which information is collected and subject to that Act. 5 U.S.C. 552a(b)(3); see also 5 U.S.C.552a(a)(7). The FTC believes that it is consistent with the collection of information pertaining to such individuals to disclose Privacy Act records when, in doing so, it will help prevent, minimize or remedy a data breach or compromise that may affect such individuals. By contrast, the FTC believes that failure to take reasonable steps to help prevent, minimize the harm that may result from such a breach or compromise would jeopardize, rather than promote, the privacy of such individuals. Accordingly, the Commission concludes that it is authorized under the Privacy Act to adopt a routine use permitting disclosure of Privacy Act records for such purposes.”
“Accordingly, the FTC hereby proposes to amend Appendix 1 of its Privacy Act system notices, as published at 57 FR 45678, by adding the following new routine use at the end of the existing routine uses set forth in that Appendix:
* * * * *
To appropriate agencies, entities, and persons when (1) the FTC suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the FTC has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or
property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the
FTC or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.”
Tags: awareness and training, corporate governance, FTC, government, Information Security, IT compliance, personal information incident, privacy, Privacy Act, privacy law