OMB issues data breach guidance

On the heels of the House Government Reform Committee issuing the results of their data breach survey, the White House and its Identity Theft Task Force outlined steps agencies should take in responding to an identity theft or ways to prevent one from happening.

In an 11-page memo to agency executives, Clay Johnson, the Office of Management and Budget's deputy director for management, made it clear the administration supports the task force's recommendation that departments establish a "core management group responsible for responding to the loss of personal information..."

President Bush created the Identity Theft Task Force through an executive order issued in May. Attorney General Alberto Gonzales and Deborah Platt Majoras, chairwoman of the Federal Trade Commission, led the task force.

The task force made three recommendations:

  • Agencies should identify a core response group in the event of a data breach. The group should include the CIO, chief legal officer, chief privacy officer, the inspector general and a senior management official;

  • If an incident occurs, the core response group should engage in a risk analysis to determine whether the incident poses problems related to the ID theft. The response group should consider how easy or difficult it would be for an unauthorized person to access the personal data; how the data was lost; the ability of the agency to mitigate the theft; and any evidence that the lost data is being used to commit identity theft.

  • If the response group determines there is risk, the agency should tailor its response to the nature and scope of the risk presented. Agencies should consider using technology to analyze whether the data loss appears to result in an identity theft. Agencies also should consider providing credit monitoring services at the government's expense.

"Ultimately, the precise steps to take must be decided in light of the particular facts presented, as there is no single response for all data breaches," the Identity Task Force said.

The Government Reform Committee found that agencies have lost a large number of laptop computers over the past three years in a recent survey of agencies. Committee chairman Tom Davis (R-Va.) has been calling for OMB to provide more guidance to agencies since July when he introduced a bill, called the Federal Agency Data Breach Notification Act, to strengthen laws regarding disclosing incidents to the public.

"[OMB's]guidance is good but clearly not enough, particularly in light of today''s news," said David Marin, the House committee''s staff director. "Stronger controls are required."

To that end, Davis expects to submit additional legislation next week to improve agency response to data breaches.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected