Michael E. Reheuser US Department of Defense 1 What is a Breach? The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. 2 rmation that can be used to distinguish or trace an individual s identity, such as their name, SSN, biometric records, etc. alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. 3 1
4 More than 490,000 complaints to FTC in 2015 More than 17 million people claim to be a victim of identity theft New types of ID theft are emerging including synthetic ID theft 5 Stolen/lost laptops or blackberries Unencrypted emails and attachments containing PII Unauthorized use of another user s account Unauthorized use of system privileges and data extraction Documents containing PII posted to public sites Inappropriate disposal of PII-dumpster dive 6 2
Normally releasable PII does not necessarily mean a breach Release of FOUO documents not necessarily a breach Authorized Releases to Congress/courts 7 Name Past and present position titles Past and present grades, annual salary Past and present duty stations Position descriptions Exceptions for routinely deployable/certain intelligence personnel 8 You need a breach response plan 9 3
10 info 11 Examine all available information in order to determine if an event/breach has occurred all applicable privacy compliance documents Was breach a single instance or recurring event? Identification process is greatly improved by effective training of privacy officials and senior leaders 12 4
Evaluate the risk of harm More sensitive data=greater risk of harm Level of risk depends on manner of the actual breach and the nature of the data involved Is notification required? Decide after risk assessment is complete 13 Nature of data elements Number of individuals affected Likelihood that the information is accessible and useable Likelihood of harm Ability of the agency to mitigate the risk of harm Based on the assessment of these factors, breaches are then classified as Low, Medium, or High 14 15 5
Within agency Between agencies Sometimes a non-federal entity Helps identify affected individuals and eliminate duplicate records 16 Breach Notification Is Breach Notification Required? Timeliness of the Notification Source of the Notification Contents of the Notification Means of Providing Notification Who Receives Notification: Public Outreach in Response to a Breach 17 Agencies should bear in mind that notification of a breach when there is little or no risk of harm might create unnecessary concern and confusion Judgment call by senior leadership Consideration should be given to notifying third parties, such as the media, in order to maintain public trust 6
Component head or senior level individual from the organization where breach occurred 1 st Class US Mail Other means are acceptable if more effective in reaching affected individuals Email Substitute Notice Telephone (must be followed up in writing) 19 A description of the specific data that was involved Facts and circumstances surrounding the loss, theft, or compromise A statement on if and how the data was protected (i.e., encryption) Protective actions that are being taken or any mitigation support services that have been implemented by the agency including toll free number and web-site 20 Workforce members must report a potential or confirmed breach 1 hour to the United States Computer Emergency Readiness Team (US-CERT) 24 hours to Component Senior Official for Privacy 10 working days for individual notification 21 7
22 ment Implement short-term actions immediately to limit the scope and magnitude of a breach Determine the media of PII that may be affected: paper, electronic, or both Minimum Action Steps: Determine a course of action concerning the operational status of the compromised system and identify critical information affected by the breach Follow existing local and higher authority guidance regarding any additional breach containment requirements 23 24 8
Mitigation of Harmful Effects personnel who may be involved and ensure they are performing required duties to contain harmful effects Apply appropriate administrative safeguards, including reporting and analysis Apply appropriate physical safeguards, such as sectioning off the area, controlling any affected PII, and securing hardware Apply appropriate technical safeguards, such as blocking all exploited ports 25 26 Eradication Remove the cause of the breach and mitigate vulnerabilities pertaining to it If the cause of the breach cannot be removed, isolate the affected PII Effective eradication efforts include administrative, physical and technical safeguards Document these activities in the breach identification log 27 9
28 y Verify that restoration actions were successful and that the business operation has returned to its normal condition Execute necessary changes to the environment and document recovery actions in the breach identification log Notify users of policy updates, new standard operating procedures and processes, and security upgrades that were implemented due to the breach 29 30 10
Follow-up and Lessons Learned Develop a lessons learned list, and share with personnel and with other organizations, as applicable Establish new assessment procedures in order to identify or prevent similar breaches in the future Provide subsequent workforce training and awareness lessons, as necessary 31 Train all personnel on privacy, security, and their roles and responsibilities before they access agency information systems Only collect PII that satisfies the purpose of the collection or request Implement strong controls to protect PII Assess those controls for compliance Conduct business practice reviews Audits-internal and third party Learn from good and bad examples 32 Practice proactive risk management Map how PII travels through the facility its location in transit and at rest Determine areas where it may be vulnerable 33 11
In some cases, paper records are more vulnerable than electronic records Implement strong controls for paper PII Ensure cabinets and offices are locked Only take out records when they are in use Protect PII from casual observation Isolate equipment that prints PII 34 Know who Needs to Know Know who has access to systems that collect and maintain PII Install strong password rules Maintain access logs as appropriate Keep areas clean and clear of PII when not in use And finally Follow all policies and procedures for removing or destroying PII Remember individuals have rights to their own PII and act on any suspected breach 35 OMB Memo 17-12 Read it Know it Live it 36 12
37 13