Your Agency Just Had a Privacy Breach Now What?

Transcription

1 1 Your Agency Just Had a Privacy Breach Now What? Kathleen Claffie U.S. Customs and Border Protection What is a Breach The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. 2 Examples of Breaches ing attachments containing PII Mishandling of paper files containing PII PII in documents posted to public websites Inappropriate disposal of documents Unauthorized disclosures 3 1

2 Not all PII releases are breaches Normally releasable PII does not necessarily mean a breach Release of FOUO documents not necessarily a breach Authorized Releases to Congress and courts 4 Types of Harms Resulting from a Privacy Breach Harm to the Agency: o Undermining the integrity or security of a system or program o Embarrassment o Reputation Harm to an individual: o Identity theft o Embarrassment o Harassment o Unfairness Office of Management and Budget Guidance: The Foundation for Breach Reporting 2

3 Early OMB Guidance OMB Memorandum 06-15, Safeguarding Personally Identifiable Information (May 22, 2006) o Emphasizes agency responsibilities to safeguard Sensitive PII and train employees on their responsibilities for protecting privacy. OMB Memorandum 06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (July 23, 2006) o Requires agencies to report all incidents (actual or potential) involving PII to US-CERT within one hour of discovery of the incident. Early OMB Guidance OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006) o Provides recommendations from the President's Identity Theft Task Force to develop planning and response procedures addressing PII incidents that could result in identify theft. OMB Guidance OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) Required implementation of new PII safeguarding requirements These requirements are implemented throughout the government using agency-specific guidance 9 3

4 Revised definition of PII M Review of existing privacy and security requirements, including requirements for remote access SSN and PII minimization Rules and Consequences Policy Breach reporting, handling, and notification 10 Revised Definition of PII Information that can be used to distinguish or trace an individual s identity, such as their name, SSN, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. 11 M Requirements Review current holdings of PII and ensure that they are accurate, timely, relevant and complete Reduce PII holdings to minimum necessary for proper performance of agency functions Develop schedule for periodic review of PII holdings W/in 120 days, establish a plan to eliminate the unnecessary collection and use of SSNs within 18 months 12 4

5 Rules and Consequences Agencies must develop a Rules and Consequences policy that: Outlines the rules of behavior relative to safeguarding PII Identifies consequences and corrective actions available to follow these rules 13 Incident Reporting and Breach Notification Agencies must develop and implement a breach notification policy within 120 days Notification requirements include electronic systems and paper documents Agencies must include existing and new requirements for incident reporting and handling Reiterates that US-CERT must be notified within one hour of a potential or confirmed breach Publish a routine use for systems of records allowing for the disclosure of information in the course of responding to a breach 14 Breach Management Steps Follow-up Identify Recover Report Eradicate Contain Mitigate 15 5

6 Identification All available information is reviewed in order to determine if a breach has occurred If a breach occurred, information is used to determine if it is a single instance or recurring event 16 Assessing once a Breach Occurs Evaluate the risk of harm More sensitive data = Greater risk of harm Level of risk depends on manner of the actual breach and the nature of the data involved Is notification required? Decide after risk assessment is complete 17 Five Factors to Consider in Determining Harm Nature of data elements Number of individuals affected Likelihood that the information is accessible and useable Likelihood of harm Ability of the agency to mitigate the risk of harm Based on the assessment of these factors, breaches are then classified as Low, Medium, or High 18 6

7 Reporting Employees and contractors must report a potential or confirmed breach One hour to the United States Computer Emergency Readiness Team (US-CERT) 19 Containment Implement short-term actions immediately to limit the scope and magnitude of the breach Determine how the breach occurred: paper, electronic, or both (media) Minimum Action Steps: Determine a course of action concerning the operating status of the media affected by the breach Follow existing agency policy regarding any additional breach containment requirements 20 Mitigation of Harmful Effects Identify personnel who should assist in mitigating and remediating the breach Apply appropriate administrative safeguards, including reporting and analysis Apply appropriate physical safeguards, such as sectioning off the area, controlling any affected PII, and securing hardware Apply appropriate technical safeguards 21 7

8 Eradication Remove the cause of the breach and mitigate vulnerabilities If the cause of the breach cannot be removed, isolate the affected PII Effective eradication efforts include administrative, physical, and technical safeguards Document all activities in the breach case log 22 Breach Notification Agencies should bear in mind that notification of a breach when there is little or no risk of harm might create unnecessary concern and confusion Judgment call by senior leadership Consideration should be given to notifying third parties, such as Congress or the media, in order to maintain public trust Breach Notification If breach notification occurs, determine: Timeliness of the Notification Source of the Notification Contents of the Notification Means of Providing Notification Who Receives Notification: Public Outreach in Response to a Breach 24 8

9 Contents of Breach Notification A description of the specific data that was involved Facts and circumstances surrounding the loss, theft, or compromise A statement on if and how the data was protected (e.g., encryption) Protective actions that are being taken or any mitigation support services that have been implemented by the agency including toll free number and web-site (if applicable) 25 Breach Notification Requirements Component head or senior level individual from the organization where breach occurred First Class US Mail Other means are acceptable if more effective in reaching affected individuals Substitute Notice Telephone (must be followed up in writing) 26 Recovery Verify that appropriate restoration actions were successful Execute necessary changes and document all recovery actions in the breach case log Notify and train users of policy updates, new standard operating procedures and processes, and security upgrades that were implemented due to the breach 27 9

10 Breach Management Steps Follow-up Identify Recover Report Eradicate Contain Mitigate 28 Follow-up and Lessons Learned Develop a list of lessons learned or complete an after action report. Share with personnel and with other organizations, as applicable Establish new assessment procedures in order to identify or prevent similar breaches in the future Provide subsequent employee and contractor training and awareness lessons 29 Best Practices Train all personnel on privacy, security, and their roles and responsibilities before they access agency information systems Incorporate real-life examples into privacy training Only collect PII that satisfies the purpose of the collection or request Implement strong controls to protect PII; asses those controls for compliance Audits: internal and third party 30 10

11 Best Practices Practice proactive risk management Map how PII travels through the facility (whether electronic or paper) Identify its location in transit and at rest Determine areas where it may be vulnerable 31 Best Practices In some cases, paper records are more vulnerable than electronic records Implement strong controls for PII in paper records Ensure cabinets and offices are locked Only take out records when they are in use Protect PII from casual observation 32 Best Practices Know who Needs to Know Know who has access to systems that collect and maintain PII Install strong password rules Maintain access logs as appropriate Keep areas clean and clear of PII when not in use And finally Follow all policies and procedures for removing or destroying PII Remember individuals have rights to their own PII Report and act on any suspected breach 33 11

12 34 QUESTIONS? Kathleen Claffie Acting Branch Chief CBP Privacy Office