9297.2C CIO GSA Information Breach Notification Policy
GENERAL SERVICES ADMINISTRATION
Washington, DC 20405
July 31, 2017
SUBJECT: GSA Information Breach Notification Policy
1. Purpose. This Order sets forth GSA’s policy, plan and responsibilities for responding to a breach of personally identifiable information (PII).
2. Cancellation. CIO 9297.2B GSA Information Breach Notification Policy, dated March 31, 2015, is cancelled.
3. Background. This policy provides guidance for the implementation of the Breach Notification Plan required in the Office of Management and Budget (OMB) M-17-12.
4. Applicability. This Order applies to:
a. All GSA employees and contractors responsible for managing Personally Identifiable Information (PII);
b. The Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act and it does not conflict with other OIG policies or the OIG mission; and
c. The Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and it does not conflict with other CBCA policies or the CBCA mission.
5. Guidance. The following guidance is relevant to an adequate response by GSA to an incident involving PII:
a. Privacy Act of 1974, as amended (https://www.justice.gov/opcl/privacy-act-1974)
c. IT Security Procedural Guide: Incident Response, CIO Security 01-02 (https://gsa.gov/node/93943?target=portal/getMediaData?mediaId=534917)
d. GSA CIO 2100.1K IT Security Policy (https://gsa.gov/node/93943?target=portal/content/553345)
e. US-CERT Reporting Requirements (https://www.us-cert.gov/incident-notification-guidelines)
f. Federal Information Security Modernization Act of 2014 (FISMA) (http://csrc.nist.gov/groups/SMA/fisma/index.html
g. IT Acquisition Efforts CIO-IT Security 09-48, Rev. 3 (https://gsa.gov/node/93943?target=portal/content/627230)
h. CIO 2180.1 GSA Rules of Behavior for Handling Personally Identifiable Information (PII) (https://gsa.gov/node/93943?target=portal/content/658222)
a. The Senior Agency Official for Privacy (SAOP) is responsible for the privacy program at GSA and for deciding when it is appropriate to notify potentially affected individuals.
b. The Chief Privacy Officer handles the management and operation of the privacy office at GSA.
c. Responsibilities of the Initial Agency Response Team and Full Response Team members are identified in Sections 14 and 15, below.
7. Personally Identifiable Information (PII). PII is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. Because there are many different types of information that can be used to distinguish or trace an individual's identity, the term PII is necessarily broad. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified using information that is linked or linkable to said individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other information to identify a specific individual, could be used to identify an individual (e.g. SSNs, name, DOB, home address, home email).
8. Breach. A breach is the actual or suspected compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, and/or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses PII or (2) an authorized user accesses or potentially accesses PII for other-than- an authorized purpose.
9. Routine Use Notice. GSA Privacy Act system of records notices (SORNs) must include routine uses for the disclosure of information necessary to respond to a breach. GSA’s Routine Use Notice is documented in the IT Security Procedural Guide: Incident Response, CIO Security 01-02 (https://gsa.gov/node/93943?target=portal/getMediaData?mediaId=534917)
10. Training. GSA is expected to protect the information entrusted to it. Security and privacy training must be completed prior to obtaining access to information and annually to ensure individuals are up-to-date on the proper handling of PII. Security and Privacy Awareness training is provided by GSA Online University (OLU). Failure to complete required training will result in denial of access to information.
In accordance with Office of Management and Budget (OMB) M-17-12 Section X, FIPS 199 Moderate and High impact systems must be tested annually to determine their incident response capability and incident response effectiveness. The SAOP will annually convene the agency's breach response team for a tabletop exercise, designed to test the agency breach response procedure and to help ensure members of the Full Response Team are familiar with the plan and understand their specific roles.
11. Reporting a suspected or confirmed breach. GSA employees and contractors with access to Federal information and information systems must report all suspected or confirmed breaches.
a. A breach involving personally identifiable information (PII) in electronic or physical form must be reported to the GSA Office of the Chief Information Security Officer (OCISO) via the IT Service Desk within one hour of discovering the incident. There should be no distinction between suspected and confirmed PII incidents (i.e., breaches).
b. When an incident involves PII within computer systems, the Security Engineering Division in the OCISO must notify the Chief Privacy Officer by providing a US-CERT Report. The US-CERT Report will be used by the Initial Agency Response Team and the Full Response Team to determine the level of risk to the impacted individuals and the appropriate remedy.
c. Employees and contractors should relay the following basic information: date of the incident, location of the incident, what PII was breached, nature of the breach (e.g. loss of control, compromise, unauthorized access or use), and the suspected number of impacted individuals, if known.
12. Breach Response Plan. The GSA Incident Response Team located in the OCISO shall promptly notify the US-CERT, the GSA OIG, and the SAOP of any incidents involving personally identifiable information and coordinate external reporting to the US-CERT, and the U.S. Congress (if a major incident as defined by OMB M-17-12), as appropriate.
13. Initial Agency Response Team.
a. To ensure an adequate response to a breach, GSA has identified positions that will make up GSA’s Initial Agency Response Team and Full Response Team. The nature and potential impact of the breach will determine whether the Initial Agency Response Team response is adequate or whether it is necessary to activate the Full Response Team, as described below.
b. The Initial Agency Response Team will respond to all breaches and will perform an initial assessment of the risk of harm to individuals potentially affected. The Initial Agency Response Team will escalate to the Full Response Team those breaches that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual (Privacy Act: 5 U.S.C. § 552a(e)(10)), that potentially impact more than 1,000 individuals, or in situations where a unanimous decision regarding proper resolution of the incident cannot be made. Breaches that impact fewer than 1,000 individuals may be escalated to the Full Response Team if they could result in substantial harm based on the nature and sensitivity of the PII compromised; the likelihood of access and use of the PII; and the type of breach (see M-17-12, section VII.E.2.).
c. The Initial Agency Response Team is made up of the program manager of the program experiencing the breach (or responsible for the breach if it affects more than one program/office), the OCISO, the Chief Privacy Officer (or “Privacy Officer”), and a member of the Office of General Counsel (OGC). This team will analyze reported breaches to determine whether a breach occurred, the scope of the information breached, the potential impact the breached information may have on individuals and on GSA, and whether the Full Response Team needs to be convened.
14. Responsibilities of Initial Agency Response Team members.
a. The Chief Privacy Officer leads this Team and assists the program office that experienced or is responsible for the breach by providing a notification template, information on credit monitoring (if necessary), and any other assistance deemed necessary.
b. The Incident Commanders are specialists located in OCISO and are responsible for ensuring that the US-CERT Report is submitted and that the Office of Inspector General (OIG) is notified. The Initial Agency Response Team will determine the appropriate remedy. If a unanimous decision cannot be made, it will be elevated to the Full Response Team.
c. The program office that experienced or is responsible for the breach is responsible for providing the remedy to the impacted individuals (including associated costs) and will provide evidence to the incident response team that impacted individuals were notified within sixty (60) calendar days of the date on which the incident was determined to be a breach.
d. If the impacted individuals are contractors, the Privacy Officer will notify the Contracting Officer who will notify the contractor. The Chief Privacy Officer will provide a notification template and other assistance deemed necessary.
15. Full Response Team. This team consists of the program manager(s) of the program(s) experiencing or responsible for the breach, the SAOP, the Chief Information Officer (CIO), the OCISO, the Chief Privacy Officer, and representatives from the Office of Strategic Communications (OSC), Office of Congressional and Intergovernmental Affairs (OCIA), and OGC. The Full Response Team will respond to breaches that may cause substantial harm, embarrassment, inconvenience, or unfairness to any individual or that potentially impact more than 1,000 individuals.
a. Responsibilities of the Full Response Team:
(1) The SAOP leads this group;
(2) The Chief Privacy Officer assists the program office by providing a notification template, information on credit monitoring (if necessary), and any other assistance that is necessary;
(3) The Full Response Team will determine the appropriate remedy. If a unanimous decision cannot be made, the SAOP will obtain the decision of the GSA Administrator;
(4) The program office experiencing or responsible for the breach is responsible for providing the remedy (including associated costs) to the impacted individuals and will maintain evidence for agency review that notification was provided to impacted individuals within sixty (60) calendar days of the date on which the incident was determined to be a breach. If the remedy costs are too burdensome on the program office, the program office may seek assistance via the SAOP;
(5) The OSC is responsible for coordination of all communication with the media;
(6) The OCIA is responsible for coordination of communication with the US Congress; and
(7) The OGC is responsible for ensuring all remedies meet legal requirements.
b. Notification to individuals affected by a loss may not occur or may be delayed if a national security or law enforcement agency determines that the notification will impede a criminal investigation. This determination will be made by the SAOP for non-major breaches and the Full Response Team for all breaches under their purview.
16. Determination whether notification is required to impacted individuals. The Full Response Team will determine whether notification is necessary for all breaches under their purview. The Initial Agency Response Team will make a recommendation to the Chief Privacy Officer regarding other breaches and the Chief Privacy Officer will then make a recommendation to the SAOP. To determine whether notification of a breach is necessary, the respective team will determine the scope of the breach, to include the types of information exposed, the number of people impacted, and whether the information could potentially be used for identity theft. The team will also assess the likely risk of harm caused by the breach. Finally, the team will assess the level of risk and consider a wide range of harms that include harm to reputation and potential risk of harassment, especially when personal records such as health or financial records are involved.
17. Communication to impacted individuals. In the event the decision to notify is made, every effort will be made to notify impacted individuals as soon as possible unless otherwise precluded under paragraph 15.b. above. Notification shall contain details about the breach, including what information was compromised and whether credit monitoring will be offered. Initial notification shall be completed within sixty (60) calendar days of the date on which the incident was determined to be a breach. In the event the communication could not occur within this timeframe, the Chief Privacy Officer will notify the SAOP explaining why communication could not take place in this timeframe, and will submit a revised timeframe and plan explaining when communication will occur.
18. Annual breach response plan reviews. At the end of each fiscal year, the SAOP shall review reports from the Initial Agency Response Team detailing the status of each breach reported during the fiscal year and consider whether it is necessary to take any action, which may include but is not limited to:
- Updating the breach response plan;
- Developing and/or implementing new policies to protect the agency's PII holdings;
- Revising existing policies to protect the agency's PII holdings;
- Reinforcing or improving training and awareness;
- Modifying information sharing arrangements; and/or
- Developing or revising documentation such as System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or privacy policies.
19. To the extent that this Order creates any changes to conditions of employment for bargaining unit employees (BUEs), it will not be applicable to such BUEs until the Agency has met its Labor Relations obligations.
/S/ Signed by David Shive for
Senior Agency Official for Privacy
Office of GSA IT