U.S. Promotes Risk-Based Data Breach Response Model

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

The exiting Obama administration has embraced a risk-based approach to data breach preparation and mitigation for federal agencies in an Office of Management and Budget memorandum, cybersecurity professionals told Bloomberg BNA.

Lisa M. Ropple, a cybersecurity partner at Jones Day in Boston, told Bloomberg BNA that “this risk-based framework, which is consistent with National Institute of Science and Technology standards and cybersecurity industry best practices, reflects an appreciation of the reality that not all incidents warrant the same response.”

Although aimed at agencies, official OMB guidance carries weight in the private sector. The endorsement of a risk-based approach is an acknowledgment that breaches are inevitable and resources should be directed at where the risk of breaches are more likely, the cybersecurity pros said. In addition, the report supports efforts to limit breach notices, they said.

Jim Halpert, a partner with DLA Piper LLP in Washington and co-chair of the firm’s Global Data Protection, Privacy and Security practice, told Bloomberg BNA Jan. 5 that the memo “sets out a much more searching and thorough approach to breach notice and preparation for data breaches than previously applied across federal government agencies.”

More Thorough Approach

The OMB Jan. 3 memo to federal agencies’ senior privacy officials outlined a “framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach as well as guidance on whether and how to provide notification and services to those individuals.”

Ropple said that “virtually every step of the breach response protocol—from determining whether an incident involved personally identifiable information (PII), to deciding whether to convene the agency’s breach response team—depends on an assessment of the risk presented by the unique facts and circumstances of the breach.”

According to Ropple, whose practice includes helping clients address and respond to data security incidents, under the OMB’s policies, “the linchpin for determining appropriate breach response depends on an assessment of the risk of harm to individuals whose information was involved in the incident.”

Paul Tiao, partner in the Global Privacy and Cybersecurity Practice at Hunton & Williams LLP, and former senior counselor for cybersecurity to the FBI Director, said that the “OMB memo will hopefully lead to better incident response plans and the consistent use of best practices across the government when federal agencies and contractors have been breached and PII compromised.”

Tiao told Bloomberg BNA Jan. 5 that “effective breach response is a real challenge so it is very important to have incident response plans that work.” According to Halpert, the memo “applies a complex balancing test that agencies will need to consider in deciding how to respond to a data breach.” He said that OMB “applies to a far broader range of information than most breach notice regimes in the U.S.”

Evolving Threats

The OMB memo said that in the modern “information-driven economy,” federal agencies deal with “unprecedented volumes of PII” ranging from names, addresses, dates of birth to Social Security numbers, geolocation information, medical history and biometric data. The federal government is expected to protect the sensitive PII and one of the most important challenges for government agencies is protecting their information technology systems and networks from cybersecurity threats.

“Federal employees understandably expect better, especially given the role of certain government agencies in enforcing breach notification requirements when data breaches take place in the private sector,” Tiao said.

Federal IT systems are increasingly becoming the targets of cyberattacks by hackers wishing to sell or trade stolen PII. Between fiscal years 2013 and 2015, the number of cybersecurity incidents reported by federal agencies increased 27 percent, according to the OMB memo.

The risk of harm to individuals resulting from compromised PII have generally been framed in terms of financial harm or stolen identity, the memo said. However, in the modern age, hackers use stolen PII for various purposes, including seeking employment, traveling across international borders, obtaining prescription drugs and other criminal activities, the memo said.

President Barack Obama Feb. 9, 2016 proposed a sweeping new federal cybersecurity effort aimed at boosting the nation’s digital defenses. Obama called for a $3.1 billion Information Technology Modernization Fund aimed at modernizing and replacing legacy information technology systems.

‘Over-Notification’

Ropple said that the OMB memo’s section on notification timing “includes an unusual nod to the dangers of providing notice too quickly upon discovering a breach.” It also acknowledges that “multiple notification of a single event should be avoided,” she told Bloomberg BNA.

The OMB memo said that agencies should assess “whether and when to notify individuals potentially affected by a breach.” Agencies should “balances the need for transparency with concerns about over-notifying individuals” as notifications may not always be helpful.

“The upshot is that there well may be incidents involving PII in which individuals and the public may never be notified,” Ropple said.

“Overall, this is a thoughtful document with sound advice about breach preparation and response,” Halpert said. “It would be easier to apply if it applied to a somewhat narrower range of information and provided greater clarity as to types of harms that merit notification,” he said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security