Modifications made to this document are recorded in the change/revision record below. This record shall be maintained throughout the life of the document.
|Date||Section||Version||Description of Change||Author|
|May, 2007||All||1.0||Initial Draft||Pierrette McIntire|
|May, 2008||All||1.1||Annual Update||Pierrette McIntire|
|Aug, 2008||4.1||1.2||Added the Cover Page, the Change History table. Also, changed the title from Breach Notification Procedure to PII Policy and Procedure.||Sam Musa|
|All||1.2||Annual review; changed the title from PII policy and Procedure to Breach Notification Policy.||Sam Musa|
|Oct, 2013||4.3||1.3||Noted assumptions for credit monitoring period.||Pierrette McIntire|
|April, 2017||April, 2017||2||Updated for compliance with M-17-12||Pierrette McIntire|
Pierrette J. McIntire, CISO
Safeguarding personally identifiable information (PII)(1) in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public. Following the guidance outlined in the Office of Management and Budget (OMB) Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information(2), the U.S. Equal Employment Opportunity Commission (EEOC) has developed this Breach Notification Policy to minimize risk and ensure prompt and appropriate action is taken should such a breach occur. For purposes of this Policy, the term "breach" includes the loss of control, compromise, unauthorized disclosure, or unauthorized acquisition, or any similar occurrence where (1) a person other than the authorized user accesses or potentially accesses PII or (2) an authorized user accesses or potentially accesses PII for an other than authorized purpose. A breach may also include the loss or theft of physical documents that include PII and portable electronic storage media that store PII, the inadvertent disclosure of PII on a public website, or an oral disclosure of PII to a person who is not authorized to receive that information.
It is the responsibility of all EEOC systems users to help ensure the security and integrity of the information contained in the Commission's automated and manual records systems. The Office of Management and Budget (OMB) Circular A-130(3), the Privacy Act of 1974, and the Federal Information Security Modernization Act of 2014(4) all define such information, as well as the technology used to maintain it, as a vital Government asset. Those who control or use this information are responsible for its care, custody and protection. All EEOC system users, whether EEOC employees, contractors, interns, contingent workers, and other users of EEOC information and information systems, are expected to be aware of certain legal rules and policies which must be followed for the purpose of safeguarding such information. EEOC Order 240.005, Attachment A, Information Security Responsibilities for EEOC System Users(5), outlines these critical responsibilities.
In response to OMB Memorandum M-06-16, EEOC developed Policy for Personally Identifiable Data Extracts Removed from EEOC Premises(6). In early FY 2017, EEOC developed Protection of Sensitive Information(7) policy. These policies outline protective measures that must be followed when PII is handled, stored or when extracts containing PII are removed from the EEOC premises.
In addition, EEOC has implemented strong technical controls to ensure the security and confidentiality of records and to protect against threats to their security and integrity. This includes system categorization against Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems; implementation of security controls as referenced in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems; authorization to operate processes for major information systems; Privacy Impact Assessments, system Rules of Behavior; and annual awareness training which includes an overview of privacy and security responsibilities.
To further reduce risk, EEOC has been very proactive in eliminating the use and storage of social security numbers in our automated information systems. To better protect the privacy of individuals seeking services from the EEOC, in October 2006, the agency removed the social security numbers (SSN) of individuals who file charges of employment discrimination from our major information system, the Integration Mission System.
Annually, the EEOC Office of Information Technology and the Office of Legal Counsel will review the current holdings of all personally identifiable information, reduce PII collections to the minimum necessary for the proper performance of the agency function, and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete.
When faced with a security or breach incident, EEOC must be able to respond in a manner protecting both its own information and helping to protect the information of others who might be affected by the incident. EEOC's Incident Response Plan outlines roles and responsibilities, threats, prevention and responses, procedures, recovery, and reporting requirements. This Breach Notification Policy augments EEOC's Incident Response Plan with respect to breach or suspected loss of PII.
EEOC staff/contractors should immediately notify management of any incident regarding the loss or suspected breach of PII, in accordance with the EEOC Incident Response Plan. Management should immediately notify the EEOC Chief Information Officer/Senior Agency Official for Privacy (CIO/SAOP), Chief Information Security Officer (CISO), and the Legal Counsel regarding the PII breach, including as much detailed information as possible. A full incident report should promptly follow the notification.
When the SAOP or CISO is made aware of a report of a suspected or confirmed breach, he or she will first determine whether the agency's response can be conducted at the staff level or whether the agency must convene the breach response management team. If the response can be conducted at the staff level, they may choose not to convene the breach response management team. At a minimum, the breach response management team shall always be convened when a breach constitutes a major incident, as defined in OMB guidance (M-17-12, Section VII.D.3).
The EEOC CIO/SAOP or CISO will confirm the details of the incident and will follow Federal Incident Response Guidelines(8) to report the breach to US-CERT (within one hour), law enforcement and oversight entities, and Congress, when appropriate. (Note: new guidelines indicate that only data stored digitally or as electronic records should be reported to US-CERT.)
When applicable, the CIO or CISO will immediately notify the EEOC Breach Response Management Team of the incident. The Breach Response Management Team is comprised of the Chief Operating Officer, CIO/SAOP, Legal Counsel, Inspector General (IG), CISO, Deputy General Counsel, Chief Financial Officer, Director of the Office of Communications and Legislative Affairs, and the senior Program Manager of the program experiencing the breach. Other management officials may be included in the notification, as deemed necessary.
If it is determined that the incident could pose issues related to identify theft or other possible areas of harm, the Breach Response Management Team will follow OMB M-17-12 to identify applicable privacy compliance documentation, review possible actions, and implement a response action plan, to include coverage, implementation, notification of individuals potentially impacted by the breach, and reporting.
After identifying the level of risk and bearing in mind the steps taken to limit that risk, the Breach Response Management Team will make a determination regarding notice to parties put at risk by the breach. This determination of notice will be made following OMB M-17-12.
To determine if a breach causes identity theft risks, the Breach Response Management Team will evaluate the factors of the incident to recommend appropriate action. Determining factors include:
Figure 1, below, is a matrix designed for use as an aid for quick risk assessment when considering the impact of PII or Covered Information loss. The Breach Response Management Team reviews the matrix for each breach notification considered, which is retained as part of the team's response decision.
Figure 1 - Identity Theft Risk Analysis Matrix
Upon initial access to the EEOC Network, all EEOC users must read and acknowledge EEOC's Network/Desktop Rules of Behavior, which includes information on PII and Breach Notification requirements. In addition, privacy awareness training was incorporated into EEOC's Annual Security Awareness Training in FY 2016. EEOC provides specialized Privacy Training, including training on handling sensitive information, to appropriate individuals based on their core job function. EEOC also promotes awareness throughout the year, such as by sending reminders through email and/or other special awareness campaigns.
Breaches will be tracked and documented within EEOC's ServiceNow Incident Tracking Module. The CIO/SAOP and CISO will communicate regarding the on-going response and for determining when the response to the breach is concluded. The CIO/SAOP and the CISO will meet quarterly to discuss the status of any on-going breach.
1 The term "personally identifiable information" refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security numbers, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.