The White House has issued a memo [PDF] on information protection and data breach response to the heads of all federal government departments. The memo outlines new rules for responding to data breaches as well as new rules on information-handling procedures.

The memo, issued by Clay Johnson III, Deputy Director for Management for the Office of Management and Budget issued the 22-page memo, with the subject line “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” This memo is a part of the federal government’s Identity Theft Task Force.

The memo states that federal agencies must develop and implement a breach notification policy within 120 days. The memo outlines the framework for this breach notification policy, which must include specifics on incident reporting & handling and external breach notification. The memo also states that federal agencies must develop a policy about who can be authorized to access personal information and their responsibilities. Information on what constitutes a data breach and what the appropriate response should be are provided in the attachments to the memo.

The data security memo requires federal agencies to:

  • Eliminate the collection and storage of unnecessary information
  • Limit access to personally identifiable information
  • Set rules for those who work with personally identifiable information
  • Use encryption and authentication
  • Physically and electronically protect information
  • Make all employees aware of data security
  • Maintain accurate and up-to-date information
  • Assign sensitivity levels to all data
  • Certify information systems (internal or contracted) that hold sensitive data
  • Control remote access to information
  • Implement procedures for detecting, reporting and responding to security incidents
  • Make publicly available any responses to the memo

These requirements go above and beyond what is required by the Federal Privacy Act. Although failure to meet the requirements will not be considered criminal negligence, it is clear that government agencies will be held accountable for data protection and data breach notification. By setting a timeframe for implementation of these initiatives, the federal government is ensuring stronger compliance with the new rules.

Read the full White House security memo here.

Via Matt Hines of InfoWorld’s ZeroDay Security

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • Digg
  • StumbleUpon
  • Technorati