Your Agency Just Had a Privacy Breach Now What?



Similar documents
REVISION: This directive supersedes TSA MD , Handling Sensitive Personally Identifiable Information, dated March 13, 2008.

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

Procedure for Managing a Privacy Breach

Privacy Impact Assessment

PRIVACY BREACH MANAGEMENT POLICY

Privacy Incident Handling Guidance

Iowa Health Information Network (IHIN) Security Incident Response Plan

Personally Identifiable Information (PII) Breach Response Policy

PERSONALLY IDENTIFIABLE INFORMATION (Pin BREACH NOTIFICATION CONTROLS

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

STANDARD ADMINISTRATIVE PROCEDURE

Safeguarding Against and Responding to the Breach of Personally Identifiable Information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Introduction to The Privacy Act

Privacy Impact Assessment

COMPLIANCE ALERT 10-12

Subject: U.S. Department of Housing and Urban Development (HUD) Privacy Protection Guidance for Third Parties

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

Utica College. Information Security Plan

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Privacy Impact Assessment

<II u.s. Department of Justice

PRIVACY BREACH POLICY

General Support System

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Protection of Privacy

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

Data Security Incident Response Plan. [Insert Organization Name]

REMEDY Enterprise Services Management System

Privacy Impact Assessment

Missouri Student Information System Data Governance

Department of Homeland Security Web Portals

Statement of Policy. Reason for Policy

HIPAA Security COMPLIANCE Checklist For Employers

PII = Personally Identifiable Information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

HIPAA Breach Notification Policy

Personal Information Collection and the Privacy Impact Assessment (PIA)

VMware vcloud Air HIPAA Matrix

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

DUUS Information Technology (IT) Incident Management Standard

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

SECURITY RISK ASSESSMENT SUMMARY

Information Technology Policy

APPENDIX B DEFINITIONS

OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

HIPAA and Privacy Policy Training

Guidance on data security breach management

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

BERKELEY COLLEGE DATA SECURITY POLICY

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Guidance on data security breach management

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security Alert

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

INFORMATION SECURITY FOR YOUR AGENCY

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Standard: Information Security Incident Management

Transcription:

1 Your Agency Just Had a Privacy Breach Now What? Kathleen Claffie U.S. Customs and Border Protection What is a Breach The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. 2 Examples of Breaches Emailing attachments containing PII Mishandling of paper files containing PII PII in documents posted to public websites Inappropriate disposal of documents Unauthorized disclosures 3 1

Not all PII releases are breaches Normally releasable PII does not necessarily mean a breach Release of FOUO documents not necessarily a breach Authorized Releases to Congress and courts 4 Types of Harms Resulting from a Privacy Breach Harm to the Agency: o Undermining the integrity or security of a system or program o Embarrassment o Reputation Harm to an individual: o Identity theft o Embarrassment o Harassment o Unfairness Office of Management and Budget Guidance: The Foundation for Breach Reporting 2

Early OMB Guidance OMB Memorandum 06-15, Safeguarding Personally Identifiable Information (May 22, 2006) o Emphasizes agency responsibilities to safeguard Sensitive PII and train employees on their responsibilities for protecting privacy. OMB Memorandum 06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (July 23, 2006) o Requires agencies to report all incidents (actual or potential) involving PII to US-CERT within one hour of discovery of the incident. Early OMB Guidance OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006) o Provides recommendations from the President's Identity Theft Task Force to develop planning and response procedures addressing PII incidents that could result in identify theft. OMB Guidance OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) Required implementation of new PII safeguarding requirements These requirements are implemented throughout the government using agency-specific guidance 9 3

Revised definition of PII M-07-16 Review of existing privacy and security requirements, including requirements for remote access SSN and PII minimization Rules and Consequences Policy Breach reporting, handling, and notification 10 Revised Definition of PII Information that can be used to distinguish or trace an individual s identity, such as their name, SSN, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. 11 M-07-16 Requirements Review current holdings of PII and ensure that they are accurate, timely, relevant and complete Reduce PII holdings to minimum necessary for proper performance of agency functions Develop schedule for periodic review of PII holdings W/in 120 days, establish a plan to eliminate the unnecessary collection and use of SSNs within 18 months 12 4

Rules and Consequences Agencies must develop a Rules and Consequences policy that: Outlines the rules of behavior relative to safeguarding PII Identifies consequences and corrective actions available to follow these rules 13 Incident Reporting and Breach Notification Agencies must develop and implement a breach notification policy within 120 days Notification requirements include electronic systems and paper documents Agencies must include existing and new requirements for incident reporting and handling Reiterates that US-CERT must be notified within one hour of a potential or confirmed breach Publish a routine use for systems of records allowing for the disclosure of information in the course of responding to a breach 14 Breach Management Steps Follow-up Identify Recover Report Eradicate Contain Mitigate 15 5

Identification All available information is reviewed in order to determine if a breach has occurred If a breach occurred, information is used to determine if it is a single instance or recurring event 16 Assessing once a Breach Occurs Evaluate the risk of harm More sensitive data = Greater risk of harm Level of risk depends on manner of the actual breach and the nature of the data involved Is notification required? Decide after risk assessment is complete 17 Five Factors to Consider in Determining Harm Nature of data elements Number of individuals affected Likelihood that the information is accessible and useable Likelihood of harm Ability of the agency to mitigate the risk of harm Based on the assessment of these factors, breaches are then classified as Low, Medium, or High 18 6

Reporting Employees and contractors must report a potential or confirmed breach One hour to the United States Computer Emergency Readiness Team (US-CERT) 19 Containment Implement short-term actions immediately to limit the scope and magnitude of the breach Determine how the breach occurred: paper, electronic, or both (media) Minimum Action Steps: Determine a course of action concerning the operating status of the media affected by the breach Follow existing agency policy regarding any additional breach containment requirements 20 Mitigation of Harmful Effects Identify personnel who should assist in mitigating and remediating the breach Apply appropriate administrative safeguards, including reporting and analysis Apply appropriate physical safeguards, such as sectioning off the area, controlling any affected PII, and securing hardware Apply appropriate technical safeguards 21 7

Eradication Remove the cause of the breach and mitigate vulnerabilities If the cause of the breach cannot be removed, isolate the affected PII Effective eradication efforts include administrative, physical, and technical safeguards Document all activities in the breach case log 22 Breach Notification Agencies should bear in mind that notification of a breach when there is little or no risk of harm might create unnecessary concern and confusion Judgment call by senior leadership Consideration should be given to notifying third parties, such as Congress or the media, in order to maintain public trust Breach Notification If breach notification occurs, determine: Timeliness of the Notification Source of the Notification Contents of the Notification Means of Providing Notification Who Receives Notification: Public Outreach in Response to a Breach 24 8

Contents of Breach Notification A description of the specific data that was involved Facts and circumstances surrounding the loss, theft, or compromise A statement on if and how the data was protected (e.g., encryption) Protective actions that are being taken or any mitigation support services that have been implemented by the agency including toll free number and web-site (if applicable) 25 Breach Notification Requirements Component head or senior level individual from the organization where breach occurred First Class US Mail Other means are acceptable if more effective in reaching affected individuals Email Substitute Notice Telephone (must be followed up in writing) 26 Recovery Verify that appropriate restoration actions were successful Execute necessary changes and document all recovery actions in the breach case log Notify and train users of policy updates, new standard operating procedures and processes, and security upgrades that were implemented due to the breach 27 9

Breach Management Steps Follow-up Identify Recover Report Eradicate Contain Mitigate 28 Follow-up and Lessons Learned Develop a list of lessons learned or complete an after action report. Share with personnel and with other organizations, as applicable Establish new assessment procedures in order to identify or prevent similar breaches in the future Provide subsequent employee and contractor training and awareness lessons 29 Best Practices Train all personnel on privacy, security, and their roles and responsibilities before they access agency information systems Incorporate real-life examples into privacy training Only collect PII that satisfies the purpose of the collection or request Implement strong controls to protect PII; asses those controls for compliance Audits: internal and third party 30 10

Best Practices Practice proactive risk management Map how PII travels through the facility (whether electronic or paper) Identify its location in transit and at rest Determine areas where it may be vulnerable 31 Best Practices In some cases, paper records are more vulnerable than electronic records Implement strong controls for PII in paper records Ensure cabinets and offices are locked Only take out records when they are in use Protect PII from casual observation 32 Best Practices Know who Needs to Know Know who has access to systems that collect and maintain PII Install strong password rules Maintain access logs as appropriate Keep areas clean and clear of PII when not in use And finally Follow all policies and procedures for removing or destroying PII Remember individuals have rights to their own PII Report and act on any suspected breach 33 11

34 QUESTIONS? Kathleen Claffie Acting Branch Chief CBP Privacy Office Kathleen.L.Claffie@cbp.dhs.gov 202-344-1610 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information