OMB: Scrub unnecessary SSNs from systems

Safeguarding against and responding to the breach of personally identifiable information

The Office of Management and Budget has directed agencies to safeguard against data breaches by collecting and storing only a minimal amount of necessary personally identifiable information. As a result, agencies must plan how to reduce the use of Social Security numbers.

Agencies must develop and put in place within four months a risk-based breach notification policy, which also will include plans to eliminate the unnecessary use of Social Security numbers within 18 months, finding alternative personal identifiers and secure federal data accessed remotely. OMB outlined a framework in which agencies must develop the breach notification policy. A breach can include loss of control of the data, unauthorized disclosure or unauthorized access.

The memorandum comes one year after the Veterans Affairs Department reported that a laptop computer containing the personal data of millions of veterans had been stolen from an employee’s home. Law enforcement officials later recovered the laptop, and forensics experts said they believe the data was not accessed. Following that incident, agencies reported a flood of data breaches.

At the time, OMB responded with several memos directing agencies how to define and secure sensitive personal information and when and how to report data breaches.

“Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public,” said Clay Johnson, OMB deputy director for management, in the memo posted May 22.

Officials who are accountable for administering operational, privacy and security programs, legal counsel, agencies’ inspectors general and other law enforcement, and public and legislative affairs share this responsibility. Security training for federal employees should be based on their jobs and responsibilities related to protecting sensitive data and the consequences and accountability for violating them.

To formulate a breach notification policy, agencies must review their existing privacy and security requirements. The policy must include existing and new requirements for incident reporting and handling, and external breach notification. It also requires agencies to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information.

“A few simple and cost-effective steps may well deliver the greatest benefit,” Johnson said. These include:
  •     Reducing volume of collected and retained personal data to minimum necessary.
  •     Limiting access to only those individuals who must have it.
  •     Using encryption, strong authentication procedures and other security controls to make information unusable by unauthorized individuals.
Agencies must incorporate the costs for securing their systems, including implementing the memo, notification to individuals in the event of a breach and any remediation activities through their existing resources.

In a disclaimer, “the new requirements do not create any rights or benefits, substantive or procedural, which are enforceable at law against the government,” Johnson said.

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.