OMB: Prepare now for data breaches
Each agency should assemble a core management team to plan and oversee the response to any data breach that could result in identity theft, according to an OMB memo.
The Office of Management and Budget memo
Each agency should assemble a core management team to plan and oversee the response to any data breach that could result in identity theft, according to a Sept. 20 memo from the Office of Management and Budget.
That recommendation is from a recent report of the Identity Theft Task Force of which Attorney General Alberto Gonzales is chairman. OMB distributed the report and its memo to agency leaders.
The task force recommended that the management teams include high-ranking officials who bring the necessary expertise in areas such as technology, privacy, law and law enforcement, -- all of which come into play in the event of data loss.
But rather than waiting for a breach to occur, the team should plan now for what steps they might take. “An important first step is responding to a breach is for agencies to engage in advance planning,” according to the Identity Theft Task Force report.
The report nearly coincided with the latest report of a potential data breach. On Sept. 21, the Commerce Department announced it has lost 1,137 laptop computers since 2001, and 249 of them contained personally identifiable information. Earlier this year, the Department of Veterans Affairs said that it lost information on millions of veterans.
The report advises agencies to take a methodical approach to responding to such events. The first step is to determine the actual level of risk, because not all data losses pose the same threat of identity theft.
Not every breach needs to be announced, because not every data loss could lead to identity theft. When every breach is announced, people have trouble distinguishing between serious and minor threats, the report states.
The task force also said announcements of data breaches should be timely, and a responsible agency official should break the news. The news should be concise and in plain language. The people affected by the breach should get the actual notice and be told what to do.
Agencies also should ensure that sources of accurate information are available for those affected. Without it, they can become frustrated, the task force memo states.