Data Breach Notifications: OMB Recommendations

On September 20 the U.S. Office of Management and Budget (OMB) issued an 11-page memo with guidance to government agencies on how to plan to give notifications for data breaches.

This is a very important issue.  Too many times organizations, including, certainly, government agencies, have woefully responded to breaches and handled the notifications in a much less than stellar manner.  Good guidance would certainly be welcome.

I read the guidelines closely, hoping to find recommendations for a common ground of good practice not only for government agencies, but also to serve as a starting point or model for any type of organization.

Overall there are some good recommendations.  However, it misses an important point that bad things can be done with personally identifiable information (PII) other than what the memo defines as "identity theft."  Granted, the memo clearly states that the purpose is to notify individuals if identity theft specifically is a good possibility, but I think it should have also at least mentioned that many bad things have also been done with PII beyond identity theft, such as stalking, spamming, unsolicited phone calls, using other people’s medical insurance, voting, and so on.

Just a few of the excerpts…

  • "The memorandum provides a menu of steps for anagency to consider, so that it may pursue such a risk-based, tailored response. Ultimately, the precise steps to take must be decided in light of the particular facts presented, as there is no single response for all breaches."

Yes, the response definitely must be risk-based, considering *ALL* types of risks, and the resulting actions based upon the specific situation.  Certainly pre-planning MUST occur.   Unfortunately most organizations do not have a breach identification plan in place, let alone a breach notification plan, according to many different surveys. 

Most of the organizations I’ve spoken with who have a breach notification plan in place do not have one that is truly executable, taking into consideration the types of data involved, or how to communicate about the breach to the impacted individuals or the news media.

  • "This memorandum focuses on the type of identifying information generally used to commit identity theft." 

In fact the memo not only focuses on that type of PII, but also just on the potential of identity theft and nothing beyond, as I stated earlier.

  • "Thus, an important first step in responding to a breach is for agencies to engage in advance planning for this contingency."

Indeed!  Pre-planning must be done to handle an incident and determine when, if and how to provide notification in order to be as effective and efficient as possible, and to lessen the resulting potential damage as much as possible.

  • "Our experience suggests that such a core group should include, at minimum, an agency’s chief information officer, chief legal officer, chief privacy officer (or their designees), a senior management official from the agency, and the agency’s inspector general (or equivalent or designee)."

Where’s the information security officer, CISO, in this list?  Are they assuming the CIO has all the background and information security knowledge necessary for this type of event?  Most CIOs have awareness, but not all the experience and knowledge necessary to use for an effective breach notification response.  It is very important to include the CISO.  Even if notification is determined to not be necessary it is important to remember a security incident has occurred and needs to be resolved. 

Security incident response plans must consider breach notifications, and breach notification teams must consider information security and the actions they must take to help prevent a similar incident from happening.

Another person to definitely include in the core group is the public relations officer.  They must know the reality of what is going on with the incident in order to release information about the incident in the most honest and effective way possible.

  • "Thus, the first steps in considering whether there is a risk of identity theft, and hence whether art "identity theft response" is necessary, are understanding the kind of information most typically used to commit identity theft and then determining whether that kind of information has been potentially compromised in the incident being examined."

Again, the considerations must go beyond just whether or not identity theft can occur, and it will depend upon the situation.  For example, what if a database of names and addresses were stolen from a company that is a potential terrorist target?  There could be safety issues involved here for these individuals, even if the possibility of identity theft with this information is low.

  • "An SSN standing alone can generate identity theft. Combinations of information can have the same effect. With a name, address, or telephone number, identity theft becomes possible, for instance, with any of the following: (1) any government-issued identification number (such as a driver’s license number if the thief cannot obtain the SSN); (2) a biometric record; (3) a financial account number, together with a PIN or security code, if a PTN or security code is necessary to access the account; or (4) any additional, specif c factor that adds to the personally identifying profile of a specific individual, such as a relationship with a specific financial institution or membership in a club."

All good information to have documented within the breach notification plan.  Along, of course, with other types of data that could lead to bad things.

  • "Our experience suggests that in determining the level of risk of identity theft, the agency should consider not simply the data that was compromised, but all of the circumstances of the data loss, including
    • how easy or difficult it would be for an unauthorized person to access the covered information in light of the manner in which the covered information was protected;
    • the means by which the loss occurred, including whether the incident might be the result of a criminal act or is likely to result in criminal activity;
    • the ability of the agency to mitigate the identity theft;
    • and evidence that the compromised information is actually being used to commit identity theft"

Some of these recommendations are concerning.  It implies that if the theft of the PII can be mitigated the individuals involved should not be notified.  Wouldn’t this be a little bit like saying the police do not have to notify a homeowner if they found a burgler in the homeowner’s house and chased him away, and don’t think the burgler actually took anything?

I do believe that stongly encrypted data that is stolen poses very little risk to the individuals.  Whether or not data is encrypted should be a consideration.  It would be nice if we could get to a point where all PII on mobile computers and storage devices were strongly encrypted.   

However, trying to second guess WHY the incident occurred and the criminals INTENTIONS is not a good idea. 

Also, breach notifications should be made as quickly as possible.  Just because PII has not been used within a week or two or three…or even a couple of months…to commit crime, does not mean that the individuals’ PII will not be used to commit crimes months later.  Some criminals are smart enough and patient enough to wait until the heat is off to do their crimes. 

  • "For example, as a general matter, the risk of identity theft is greater if the covered inforrnation was stolen by a thief who was targeting the data (such as a computer hacker) than if the information was inadvertently left unprotected in a public location, such as in a briefcase in a hotel lobby. Similarly, in some cases of theft, the circumstances might indicate that the data-storage device, such as a computer left in a car, rather than the information itself, was the target of the theft."

You cannot know the intentions of an unknown thief!  It is best for the potentional vicitms involved for an organization to consider that the thief HAS intentions to do bad things…or potentially someone buying the stolen laptop from the thief will want to do bad things with the PII.

Granted, the circumstances must be considered.  If someone accidentally knocked their computer off the Grand Canyon, smashing it into canyon gravel, then true, this would not need notification…but then again, this really wouldn’t be a breach.  Yes, this is a bit of a facetious example, but hopefully you see my point.

  • "Considering these factors together should permit the agency to develop an overall sense of where along the continuum of identity-theft risk the risk created by the particular incident falls. That assessment, in turn, should guide the agency’s further actions."

This AND following the at least 33 state level breach notification laws.  Those laws do not try to second guess the intentions of criminals.  It is odd the memo does not even reference the state level breach notification laws; it mentions the state level freeze laws.

  • "While assessing the level of risk in a given situation, the agency should simultaneously consider options for attenuating that risk."

More reason to include the CISO in the core breach notification team.

  • "It might take a few months for most signs of fraudulent accounts to appear on the credit report, and this option is most useful when the data breach involves information that can be used to open new accounts."

Yes, it could!  It could also take many months.  Funny they included the seemingly contradictory statement earlier when talking about how to determine IF notification should be made. 

It is still nice to see this point being made, though, within a government publication such as this.  Often organizations and agencies make published statements that "there is no evidence of fraud occurring" just a week or two after the data compromise. 

They recommend telling the individuals to

  • "Place an initial fraud alert on credit reports maintained by the three major credit bureaus noted above."

Legitimate advice, but it is still placing the responsibility of dealing with the organization’s breach impact upon the victim.  All unplanned time, stress and irritation for individuals when the breach often could have been prevented to begin with…or if the data had been encrypted!

  • "Be aware that the public announcement of the breach could itself cause criminals engaged in fraud, under the guise of providing legitimate assistance, to use various techniques, including email or the telephone, to deceive individuals affected by the breach into disclosing their credit card numbers, bank account information, SSNs, passwords, or other sensitive personal information."

This may be possible, but then again, these scams are going on all the time.  Silence about a crime that has occurred potentially impacting privacy and security is not a good risk mitigation control.  It’s usually better to have many eyes and ears on the alert for the subsequent wrong-doings with the stolen data than worry about one or two people who may take advantage.

Here are the high levle recommendations for actually executing the breach notification; see the memo for the details that go with each:

"1. Timing: The notice should be provided in a timely manner, but without compounding the harm from the initial incident through premature announcement based on incomplete facts or in a manner Iikely to make identity theft more likely to occur as a result of the announcement. While it is important to notify promptly those who may be affected so that they can take protective steps quickly, false alarms or inaccurate alarms are counterproductive."

"2. Source: Given the serious security and privacy concerns raised by data breaches, notification to individuals affected by the data loss should be issued by a responsible official of the agency, or, in those instances in which the breach involves a publicly known component of an agency, a responsible official of the component."

"3. Contents: The substance of the notice should be reduced to a stand-alone document and written in clear, concise, and easy-to-understand language, capable of individual distribution and/or posting on the agency’s website and other information sites."

"4. Method of Notification: Notification should occur in a manner calibrated to ensure that the individuaIs affected receive actual notice of the incident and the steps they should take. First-class mail notification to the last known mailing address of the individual should be the primary means by which the agency provides notification."

"5. Preparing for follow-on inquiries: Those notified can experience considerable frustration if, in the wake of an initial public announcement, they are unable to find sources of additional accurate information."

"6. Prepare counterpart entities that may receive a slsrge in inquiries: Depending on the nature of the incident, certain entities, such as the credit-reporting agencies or the FTC, may experience a surge in inquiries also."

On the last page they provide a "Risk Based Decision Framework" flowchart.  I really like, and encourage organizations to use, flowcharts to map out and visually describe procedures.  It makes it clearer what needs to be done, and can be referenced more quickly than 10 pages of documentation (which you still need as support for the flowchart) on its own.

This flowchart would make a good starting point for organizations.  It will need modification to go beyond just indentity theft possibilities, and your will want to incorporate the state level breach notification requirement considerations as well.

Overall this is a nice resource for organizations to use when establishing their breach notification plans, but organization need to keep in mind that it is incomplete and that they need to consider the other issues I discussed earlier.

Technorati Tags








Leave a Reply

Data Breach Notifications: OMB Recommendations

On September 20 the U.S. Office of Management and Budget (OMB) issued an 11-page memo with guidance to government agencies on how to plan to give notifications for data breaches.

This is a very important issue.  Too many times organizations, including, certainly, government agencies, have woefully responded to breaches and handled the notifications in a much less than stellar manner.  Good guidance would certainly be welcome.

I read the guidelines closely, hoping to find recommendations for a common ground of good practice not only for government agencies, but also to serve as a starting point or model for any type of organization.

Overall there are some good recommendations.  However, it misses an important point that bad things can be done with personally identifiable information (PII) other than what the memo defines as "identity theft."  Granted, the memo clearly states that the purpose is to notify individuals if identity theft specifically is a good possibility, but I think it should have also at least mentioned that many bad things have also been done with PII beyond identity theft, such as stalking, spamming, unsolicited phone calls, using other people’s medical insurance, voting, and so on.

Just a few of the excerpts…

  • "The memorandum provides a menu of steps for anagency to consider, so that it may pursue such a risk-based, tailored response. Ultimately, the precise steps to take must be decided in light of the particular facts presented, as there is no single response for all breaches."

Yes, the response definitely must be risk-based, considering *ALL* types of risks, and the resulting actions based upon the specific situation.  Certainly pre-planning MUST occur.   Unfortunately most organizations do not have a breach identification plan in place, let alone a breach notification plan, according to many different surveys. 

Most of the organizations I’ve spoken with who have a breach notification plan in place do not have one that is truly executable, taking into consideration the types of data involved, or how to communicate about the breach to the impacted individuals or the news media.

  • "This memorandum focuses on the type of identifying information generally used to commit identity theft." 

In fact the memo not only focuses on that type of PII, but also just on the potential of identity theft and nothing beyond, as I stated earlier.

  • "Thus, an important first step in responding to a breach is for agencies to engage in advance planning for this contingency."

Indeed!  Pre-planning must be done to handle an incident and determine when, if and how to provide notification in order to be as effective and efficient as possible, and to lessen the resulting potential damage as much as possible.

  • "Our experience suggests that such a core group should include, at minimum, an agency’s chief information officer, chief legal officer, chief privacy officer (or their designees), a senior management official from the agency, and the agency’s inspector general (or equivalent or designee)."

Where’s the information security officer, CISO, in this list?  Are they assuming the CIO has all the background and information security knowledge necessary for this type of event?  Most CIOs have awareness, but not all the experience and knowledge necessary to use for an effective breach notification response.  It is very important to include the CISO.  Even if notification is determined to not be necessary it is important to remember a security incident has occurred and needs to be resolved. 

Security incident response plans must consider breach notifications, and breach notification teams must consider information security and the actions they must take to help prevent a similar incident from happening.

Another person to definitely include in the core group is the public relations officer.  They must know the reality of what is going on with the incident in order to release information about the incident in the most honest and effective way possible.

  • "Thus, the first steps in considering whether there is a risk of identity theft, and hence whether art "identity theft response" is necessary, are understanding the kind of information most typically used to commit identity theft and then determining whether that kind of information has been potentially compromised in the incident being examined."

Again, the considerations must go beyond just whether or not identity theft can occur, and it will depend upon the situation.  For example, what if a database of names and addresses were stolen from a company that is a potential terrorist target?  There could be safety issues involved here for these individuals, even if the possibility of identity theft with this information is low.

  • "An SSN standing alone can generate identity theft. Combinations of information can have the same effect. With a name, address, or telephone number, identity theft becomes possible, for instance, with any of the following: (1) any government-issued identification number (such as a driver’s license number if the thief cannot obtain the SSN); (2) a biometric record; (3) a financial account number, together with a PIN or security code, if a PTN or security code is necessary to access the account; or (4) any additional, specif c factor that adds to the personally identifying profile of a specific individual, such as a relationship with a specific financial institution or membership in a club."

All good information to have documented within the breach notification plan.  Along, of course, with other types of data that could lead to bad things.

  • "Our experience suggests that in determining the level of risk of identity theft, the agency should consider not simply the data that was compromised, but all of the circumstances of the data loss, including
    • how easy or difficult it would be for an unauthorized person to access the covered information in light of the manner in which the covered information was protected;
    • the means by which the loss occurred, including whether the incident might be the result of a criminal act or is likely to result in criminal activity;
    • the ability of the agency to mitigate the identity theft;
    • and evidence that the compromised information is actually being used to commit identity theft"

Some of these recommendations are concerning.  It implies that if the theft of the PII can be mitigated the individuals involved should not be notified.  Wouldn’t this be a little bit like saying the police do not have to notify a homeowner if they found a burgler in the homeowner’s house and chased him away, and don’t think the burgler actually took anything?

I do believe that stongly encrypted data that is stolen poses very little risk to the individuals.  Whether or not data is encrypted should be a consideration.  It would be nice if we could get to a point where all PII on mobile computers and storage devices were strongly encrypted.   

However, trying to second guess WHY the incident occurred and the criminals INTENTIONS is not a good idea. 

Also, breach notifications should be made as quickly as possible.  Just because PII has not been used within a week or two or three…or even a couple of months…to commit crime, does not mean that the individuals’ PII will not be used to commit crimes months later.  Some criminals are smart enough and patient enough to wait until the heat is off to do their crimes. 

  • "For example, as a general matter, the risk of identity theft is greater if the covered inforrnation was stolen by a thief who was targeting the data (such as a computer hacker) than if the information was inadvertently left unprotected in a public location, such as in a briefcase in a hotel lobby. Similarly, in some cases of theft, the circumstances might indicate that the data-storage device, such as a computer left in a car, rather than the information itself, was the target of the theft."

You cannot know the intentions of an unknown thief!  It is best for the potentional vicitms involved for an organization to consider that the thief HAS intentions to do bad things…or potentially someone buying the stolen laptop from the thief will want to do bad things with the PII.

Granted, the circumstances must be considered.  If someone accidentally knocked their computer off the Grand Canyon, smashing it into canyon gravel, then true, this would not need notification…but then again, this really wouldn’t be a breach.  Yes, this is a bit of a facetious example, but hopefully you see my point.

  • "Considering these factors together should permit the agency to develop an overall sense of where along the continuum of identity-theft risk the risk created by the particular incident falls. That assessment, in turn, should guide the agency’s further actions."

This AND following the at least 33 state level breach notification laws.  Those laws do not try to second guess the intentions of criminals.  It is odd the memo does not even reference the state level breach notification laws; it mentions the state level freeze laws.

  • "While assessing the level of risk in a given situation, the agency should simultaneously consider options for attenuating that risk."

More reason to include the CISO in the core breach notification team.

  • "It might take a few months for most signs of fraudulent accounts to appear on the credit report, and this option is most useful when the data breach involves information that can be used to open new accounts."

Yes, it could!  It could also take many months.  Funny they included the seemingly contradictory statement earlier when talking about how to determine IF notification should be made. 

It is still nice to see this point being made, though, within a government publication such as this.  Often organizations and agencies make published statements that "there is no evidence of fraud occurring" just a week or two after the data compromise. 

They recommend telling the individuals to

  • "Place an initial fraud alert on credit reports maintained by the three major credit bureaus noted above."

Legitimate advice, but it is still placing the responsibility of dealing with the organization’s breach impact upon the victim.  All unplanned time, stress and irritation for individuals when the breach often could have been prevented to begin with…or if the data had been encrypted!

  • "Be aware that the public announcement of the breach could itself cause criminals engaged in fraud, under the guise of providing legitimate assistance, to use various techniques, including email or the telephone, to deceive individuals affected by the breach into disclosing their credit card numbers, bank account information, SSNs, passwords, or other sensitive personal information."

This may be possible, but then again, these scams are going on all the time.  Silence about a crime that has occurred potentially impacting privacy and security is not a good risk mitigation control.  It’s usually better to have many eyes and ears on the alert for the subsequent wrong-doings with the stolen data than worry about one or two people who may take advantage.

Here are the high levle recommendations for actually executing the breach notification; see the memo for the details that go with each:

"1. Timing: The notice should be provided in a timely manner, but without compounding the harm from the initial incident through premature announcement based on incomplete facts or in a manner Iikely to make identity theft more likely to occur as a result of the announcement. While it is important to notify promptly those who may be affected so that they can take protective steps quickly, false alarms or inaccurate alarms are counterproductive."

"2. Source: Given the serious security and privacy concerns raised by data breaches, notification to individuals affected by the data loss should be issued by a responsible official of the agency, or, in those instances in which the breach involves a publicly known component of an agency, a responsible official of the component."

"3. Contents: The substance of the notice should be reduced to a stand-alone document and written in clear, concise, and easy-to-understand language, capable of individual distribution and/or posting on the agency’s website and other information sites."

"4. Method of Notification: Notification should occur in a manner calibrated to ensure that the individuaIs affected receive actual notice of the incident and the steps they should take. First-class mail notification to the last known mailing address of the individual should be the primary means by which the agency provides notification."

"5. Preparing for follow-on inquiries: Those notified can experience considerable frustration if, in the wake of an initial public announcement, they are unable to find sources of additional accurate information."

"6. Prepare counterpart entities that may receive a slsrge in inquiries: Depending on the nature of the incident, certain entities, such as the credit-reporting agencies or the FTC, may experience a surge in inquiries also."

On the last page they provide a "Risk Based Decision Framework" flowchart.  I really like, and encourage organizations to use, flowcharts to map out and visually describe procedures.  It makes it clearer what needs to be done, and can be referenced more quickly than 10 pages of documentation (which you still need as support for the flowchart) on its own.

This flowchart would make a good starting point for organizations.  It will need modification to go beyond just indentity theft possibilities, and your will want to incorporate the state level breach notification requirement considerations as well.

Overall this is a nice resource for organizations to use when establishing their breach notification plans, but organization need to keep in mind that it is incomplete and that they need to consider the other issues I discussed earlier.

Technorati Tags








Leave a Reply