Skip top navigation Skip to content

PDF   Print   Email  Share

OFFICE OF INFORMATION TECHNOLOGY (OIT)

Breach Notification Policy

April, 2017

Version 2



DOCUMENT CHANGE HISTORY

Modifications made to this document are recorded in the change/revision record below. This record shall be maintained throughout the life of the document.

Date Section Version Description of Change Author
May, 2007 All 1.0 Initial Draft Pierrette McIntire
May, 2008 All 1.1 Annual Update Pierrette McIntire
Aug, 2008 4.1 1.2 Added the Cover Page, the Change History table. Also, changed the title from Breach Notification Procedure to PII Policy and Procedure. Sam Musa

June, 2010

All 1.2 Annual review; changed the title from PII policy and Procedure to Breach Notification Policy. Sam Musa
Oct, 2013 4.3 1.3 Noted assumptions for credit monitoring period. Pierrette McIntire
April, 2017 April, 2017 2 Updated for compliance with M-17-12 Pierrette McIntire


APPROVAL HISTORY

Approved by


Pierrette J. McIntire, CISO




Table of Contents

  1. INTRODUCTION
  2. BACKGROUND
  3. REVIEW OF COMPLIANCE
  4. BREACH INCIDENT HANDLING AND REPORTING REQUIREMENTS
  5. TRAINING AND AWARENESS
  6. TRACKINGS

MANAGEMENT PROGRAMS
INFORMATION TECHNOLOGY

  1. INTRODUCTION

    Safeguarding personally identifiable information (PII)(1) in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public. Following the guidance outlined in the Office of Management and Budget (OMB) Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information(2), the U.S. Equal Employment Opportunity Commission (EEOC) has developed this Breach Notification Policy to minimize risk and ensure prompt and appropriate action is taken should such a breach occur. For purposes of this Policy, the term "breach" includes the loss of control, compromise, unauthorized disclosure, or unauthorized acquisition, or any similar occurrence where (1) a person other than the authorized user accesses or potentially accesses PII or (2) an authorized user accesses or potentially accesses PII for an other than authorized purpose. A breach may also include the loss or theft of physical documents that include PII and portable electronic storage media that store PII, the inadvertent disclosure of PII on a public website, or an oral disclosure of PII to a person who is not authorized to receive that information.

  2. BACKGROUND

    It is the responsibility of all EEOC systems users to help ensure the security and integrity of the information contained in the Commission's automated and manual records systems. The Office of Management and Budget (OMB) Circular A-130(3), the Privacy Act of 1974, and the Federal Information Security Modernization Act of 2014(4) all define such information, as well as the technology used to maintain it, as a vital Government asset. Those who control or use this information are responsible for its care, custody and protection. All EEOC system users, whether EEOC employees, contractors, interns, contingent workers, and other users of EEOC information and information systems, are expected to be aware of certain legal rules and policies which must be followed for the purpose of safeguarding such information. EEOC Order 240.005, Attachment A, Information Security Responsibilities for EEOC System Users(5), outlines these critical responsibilities.

    In response to OMB Memorandum M-06-16, EEOC developed Policy for Personally Identifiable Data Extracts Removed from EEOC Premises(6). In early FY 2017, EEOC developed Protection of Sensitive Information(7) policy. These policies outline protective measures that must be followed when PII is handled, stored or when extracts containing PII are removed from the EEOC premises.

    In addition, EEOC has implemented strong technical controls to ensure the security and confidentiality of records and to protect against threats to their security and integrity. This includes system categorization against Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems; implementation of security controls as referenced in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems; authorization to operate processes for major information systems; Privacy Impact Assessments, system Rules of Behavior; and annual awareness training which includes an overview of privacy and security responsibilities.

    To further reduce risk, EEOC has been very proactive in eliminating the use and storage of social security numbers in our automated information systems. To better protect the privacy of individuals seeking services from the EEOC, in October 2006, the agency removed the social security numbers (SSN) of individuals who file charges of employment discrimination from our major information system, the Integration Mission System.

  3. REVIEW OF COMPLIANCE

    Annually, the EEOC Office of Information Technology and the Office of Legal Counsel will review the current holdings of all personally identifiable information, reduce PII collections to the minimum necessary for the proper performance of the agency function, and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete.

  4. BREACH INCIDENT HANDLING AND REPORTING REQUIREMENTS

    When faced with a security or breach incident, EEOC must be able to respond in a manner protecting both its own information and helping to protect the information of others who might be affected by the incident. EEOC's Incident Response Plan outlines roles and responsibilities, threats, prevention and responses, procedures, recovery, and reporting requirements. This Breach Notification Policy augments EEOC's Incident Response Plan with respect to breach or suspected loss of PII.

    • 4.1 INCIDENT NOTIFICATION

      EEOC staff/contractors should immediately notify management of any incident regarding the loss or suspected breach of PII, in accordance with the EEOC Incident Response Plan. Management should immediately notify the EEOC Chief Information Officer/Senior Agency Official for Privacy (CIO/SAOP), Chief Information Security Officer (CISO), and the Legal Counsel regarding the PII breach, including as much detailed information as possible. A full incident report should promptly follow the notification.

      • Users/Managers shall not wait for confirmation that a breach has in fact occurred before reporting to the the CIO/SAOP and CISO, as such a delay may undermine the agency's ability to apply preventative and remedial measures to protect the PII or reduce the risk of harm to potentially affected individuals. In addition, any delay may reduce the likelihood that the agency can recover a lost or stolen device or physical document.

      When the SAOP or CISO is made aware of a report of a suspected or confirmed breach, he or she will first determine whether the agency's response can be conducted at the staff level or whether the agency must convene the breach response management team. If the response can be conducted at the staff level, they may choose not to convene the breach response management team. At a minimum, the breach response management team shall always be convened when a breach constitutes a major incident, as defined in OMB guidance (M-17-12, Section VII.D.3).

      The EEOC CIO/SAOP or CISO will confirm the details of the incident and will follow Federal Incident Response Guidelines(8) to report the breach to US-CERT (within one hour), law enforcement and oversight entities, and Congress, when appropriate. (Note: new guidelines indicate that only data stored digitally or as electronic records should be reported to US-CERT.)

    • 4.2 BREACH RESPONSE MANAGEMENT TEAM

      When applicable, the CIO or CISO will immediately notify the EEOC Breach Response Management Team of the incident. The Breach Response Management Team is comprised of the Chief Operating Officer, CIO/SAOP, Legal Counsel, Inspector General (IG), CISO, Deputy General Counsel, Chief Financial Officer, Director of the Office of Communications and Legislative Affairs, and the senior Program Manager of the program experiencing the breach. Other management officials may be included in the notification, as deemed necessary.

      • The Breach Response Management Team will engage in a risk analysis to determine whether the incident poses problems related to identity theft or areas of potential harm. Guidance outlined in OMB M-17-12 will be used to assist in this determination.

      If it is determined that the incident could pose issues related to identify theft or other possible areas of harm, the Breach Response Management Team will follow OMB M-17-12 to identify applicable privacy compliance documentation, review possible actions, and implement a response action plan, to include coverage, implementation, notification of individuals potentially impacted by the breach, and reporting.

      • If the breach involves government-authorized credit cards, steps will immediately be taken to notify the issuing bank. If the breach involves individual's bank account numbers to be used for direct deposit of credit card reimbursements, government employee salary, or any benefit payment, EEOC will notify the bank and other entity that handles that particular transaction immediately.
      • If the breach includes social security numbers or other highly sensitive information, the Breach Response Management Team will determine whether credit-monitoring services will be offered to the affected parties at government expense. If credit-monitoring services are required, they will be immediately acquired off the GSA Blanket Purchase Agreement for credit monitoring services.
      • The Breach Response Management Team will consult with technical and program managers, as appropriate, to determine if immediate follow-up actions are necessary to reduce any residual or follow-up risk related to the incident.
      • If the breach may be related to other breaches or other criminal activity, the EEOC IG will coordinate with appropriate federal law enforcement agencies to enable the government to look for potential links and to effectively investigate and punish criminal activity that may result from, or be connected to, the breach.
    • 4.3 NOTICE TO THOSE AFFECTED

      After identifying the level of risk and bearing in mind the steps taken to limit that risk, the Breach Response Management Team will make a determination regarding notice to parties put at risk by the breach. This determination of notice will be made following OMB M-17-12.

      • If the decision was made to offer credit-monitoring services, the Breach Response Management Team will identify the appropriate agency official who should make contact with the affected parties. When appropriate, contact will be made both verbally (telephone call) and in writing (follow-up letter). The CISO will forward boilerplate Identity Theft Notification letter(s) to the appropriate agency official for completion and processing. The boilerplate letter will describe the incident that occurred, a description of the types of personal information that were involved in the breach, a brief description of the steps the agency is taking to investigate the breach and limit the risk, steps that the individual can take to protect themselves and reduce risk of identity theft, and information on how to obtain the government provided credit-monitoring services. The draft notification will be forwarded to the Office of Legal Counsel for review prior to processing. Credit monitoring services will be acquired for a one-year period. If a longer period of monitoring is requested, the Breach Response Management Team may decide to offer an extended subscription.
      • If the decision is made to notify affected parties but not offer credit monitoring services, the Breach Response Management Team will identify the appropriate agency official who should make contact with the affected parties and the CISO will forward boilerplate Identity Theft Notification letter(s) to this individual for completion and processing. The boilerplate letter will conform to the format and review requirements identified above, without the offer of credit-monitoring services.
      • Determinations and follow-up actions regarding notification will be made in a timely manner, so that those affected may take protective steps as quickly as possible, but without compounding harm from the initial incident through premature announcement based on incomplete facts.
      • If it is determined that public notification of the breach is warranted, the Breach Response Management Team will post information about the breach and notification in a clearly identifiable location on the home page of EEOC's external website. The posting will include a link to Frequently Asked Questions and other talking points to assist the public's understanding of the breach and notification process.
      • As necessary, the Breach Response Management Team will identify resources to handle any follow-up inquiries. If the breach involves a very large number of affected individuals, the Breach Response Management Team may consider acquiring incident response support services through the General Services Administration's (GSA) Identity Protection Services Blanket Purchase Agreements. EEOC may delay any required public announcement of the incident to allow time for implementation of appropriate follow-up resources.
    • 4.4 IDENTITY THEFT RISK ANALYSIS MATRIX

      To determine if a breach causes identity theft risks, the Breach Response Management Team will evaluate the factors of the incident to recommend appropriate action. Determining factors include:

      • Risk of Harm, which includes the type of data compromised in the loss, e.g., telephone book type information, date of birth (DOB) and place of birth (POB), Social Security Number (SSN), personal financial information (credit card or bank account information), and sensitive information contained in a person's official personnel file or background investigation file, where the risk of harm increases as each type of data is combined with the previous element; and
      • Compensating Controls, which include the types of controls in place and enabled at the time of loss or compromise, e.g., no controls, physical controls such as lock boxes, password and/or encryption controls on the device/electronic file, and other multiple security controls enabling strong protection for the sensitive data.

      Figure 1, below, is a matrix designed for use as an aid for quick risk assessment when considering the impact of PII or Covered Information loss. The Breach Response Management Team reviews the matrix for each breach notification considered, which is retained as part of the team's response decision.

    Identity Theft Risk Analysis Matrix

    Figure 1 - Identity Theft Risk Analysis Matrix

  5. TRAINING AND AWARENESS

    Upon initial access to the EEOC Network, all EEOC users must read and acknowledge EEOC's Network/Desktop Rules of Behavior, which includes information on PII and Breach Notification requirements. In addition, privacy awareness training was incorporated into EEOC's Annual Security Awareness Training in FY 2016. EEOC provides specialized Privacy Training, including training on handling sensitive information, to appropriate individuals based on their core job function. EEOC also promotes awareness throughout the year, such as by sending reminders through email and/or other special awareness campaigns.

  6. TRACKING

    Breaches will be tracked and documented within EEOC's ServiceNow Incident Tracking Module. The CIO/SAOP and CISO will communicate regarding the on-going response and for determining when the response to the breach is concluded. The CIO/SAOP and the CISO will meet quarterly to discuss the status of any on-going breach.

    • If EEOC reports a breach to Congress, the SAOP/CIO shall convene the agency's Breach Response Management Team to formally review the agency's response to the breach and identify any lessons learned. EEOC shall use lessons learned to implement specific, preventative actions. EEOC shall document any changes to its breach response plan, policies, training, or other documentation resulting from lessons learned. If there are specific challenges preventing EEOC from instituting remedial measures, EEOC will also document those challenges.

FOOTNOTES:

1 The term "personally identifiable information" refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security numbers, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

2 https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf

3 https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf

4 https://www.congress.gov/bill/113th-congress/senate-bill/2521/text

5 http://insite.eeoc.gov/insite/TECHNOLOGY/INFOSECURITYRESPONSIBILITIESEEOCSYSUSERS.pdf

6 http://insite.eeoc.gov/insite/TECHNOLOGY/PIIextractpolicyfinal.pdf

7 http://insite.eeoc.gov/OIT/upload/PROTECTION-OF-SENSITIVE-INFORMATION-fv1-161026.pdf

8 https://www.us-cert.gov/sites/default/files/publications/Federal Incident Notification Guidelines.pdf