OMB issues data breach guidance
- By Jason Miller
- Sep 22, 2006
On the heels of the House Government Reform Committee issuing the results of their data breach survey, the White House and its Identity Theft Task Force outlined steps agencies should take in responding to an identity theft or ways to prevent one from happening.
In an 11-page memo
to agency executives, Clay Johnson, the Office of Management and Budget's deputy director for management, made it clear the administration supports the task force's recommendation that departments establish a "core management group responsible for responding to the loss of personal information..."
President Bush created the Identity Theft Task Force through an executive order
issued in May. Attorney General Alberto Gonzales and Deborah Platt Majoras, chairwoman of the Federal Trade Commission, led the task force.
The task force made three recommendations:
- Agencies should identify a core response group in the event of a data breach. The group should include the CIO, chief legal officer, chief privacy officer, the inspector general and a senior management official;
- If an incident occurs, the core response group should engage in a risk analysis to determine whether the incident poses problems related to the ID theft. The response group should consider how easy or difficult it would be for an unauthorized person to access the personal data; how the data was lost; the ability of the agency to mitigate the theft; and any evidence that the lost data is being used to commit identity theft.
- If the response group determines there is risk, the agency should tailor its response to the nature and scope of the risk presented. Agencies should consider using technology to analyze whether the data loss appears to result in an identity theft. Agencies also should consider providing credit monitoring services at the government's expense.
"Ultimately, the precise steps to take must be decided in light of the particular facts presented, as there is no single response for all data breaches," the Identity Task Force said.
The Government Reform Committee found
that agencies have lost a large number of laptop computers over the past three years in a recent survey of agencies. Committee chairman Tom Davis (R-Va.) has been calling for OMB to provide more guidance to agencies since July when he introduced a bill, called the Federal Agency Data Breach Notification Act, to strengthen laws regarding disclosing incidents to the public.
"[OMB's]guidance is good but clearly not enough, particularly in light of today''s news," said David Marin, the House committee''s staff director. "Stronger controls are required."
To that end, Davis expects to submit additional legislation next week to improve agency response to data breaches.