• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

HHS Policy for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)

Document #: HHS-OCIO-PIM-2020-05-003
Policy Name: HHS Policy for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)
Version #: 2.0
Status: Final
Last Reviewed: May 2020
Next Review: May 2023
Owner: OCIO/PIM
Approved By: José Arrieta, Chief Information Officer

Table of Contents

1. Nature of Changes

2. Purpose

3. Background

4. Scope

5. Authorities

6. Policy

7. Roles and Responsibilities

8. Information and Assistance

9. Effective Date and Implementation

10. Approval

11. Concurrence

Appendix B: Standards

Appendix C: Guidance

1. Factors for Assessing the Risk of Harm to Individual Potentially Affected by a Breach

2. Examples of Guidance HHS May Offer

3. Examples of Services HHS May Offer

Appendix D: Forms and Templates

Glossary and Acronyms


1. Nature of Changes

This Policy updates the previous version, dated June 29, 2017, as part of the three-year review cycle. The definition of “major incident” has been updated to reflect updated Office of Management and Budget (OMB) guidance. References and website links have also been updated as necessary.

 

2. Purpose

The purpose of this U.S. Department of Health and Human Services (HHS) Breach Response Policy (hereafter Policy) is to address Office of Management and Budget (OMB) Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information.  This Policy sets forth the approach of HHS in preparing for and responding to breaches of personally identifiable information[1] (PII) in any medium or form.  Included in this Policy are requirements for developing and implementing training and awareness activities, preparing for and reporting a suspected or confirmed breach, developing and implementing a breach response plan, assessing and mitigating the risk of harm to potentially affected individuals, tracking and documenting the response to a breach, and assessing any lessons learned.   

This Policy seeks to ensure that responses to PII data breaches are consistent, comprehensive, complete, and delivered in an effective and timely manner to minimize the risk to HHS and individuals.

This Policy supersedes the HHS Policy for Responding to Breaches of Personally Identifiable Information (PII), (HHS-OCIO-2008-0001.003, dated 11/17/2008).

 

[1] Personally identifiable information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Office of Management and Budget (OMB). (2016, July 27). Circular No. A-130, Managing Information as a Strategic Resource, p. 21. Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf.

 

3. Background

The public entrusts HHS with a wide array of PII ranging from basic identifiers, such as name and Social Security number (SSN), to more complex data sets, such as an individual’s genomic sequence or medical history.  This public trust carries with it a corresponding responsibility that HHS will protect and safeguard the information while it is being stored, transmitted, and shared.  Breaches of PII—including the unauthorized use, disclosure, or loss—can have far-reaching implications for individuals whose PII has been compromised, and can result in a loss of public 

trust with the potential to impede HHS’s ability to carry out its mission.  Therefore, HHS must plan for, respond to, and mitigate the risks associated with breaches of PII.

This Policy updates and supersedes the HHS Policy for Responding to Breaches of Personally Identifiable Information (PII) dated November 17, 2008.  The HHS Policy for Responding to Breaches of Personally Identifiable Information (PII) was initially issued as a standalone policy due to government-wide, high-level attention placed on incidents involving the loss of PII, and pursuant to OMB guidance mandating specific processes for PII breaches that are different from the processes for responding to information technology (IT) security incidents.  In addition, for breaches involving unsecured protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI to individuals, the HHS Office for Civil Rights (OCR), and, in some cases, the media.[1]  The specific processes for breach notification involving unsecured PHI are available from OCR.   

This Policy is supplemented by the U.S. Department of Health and Human Services (HHS) Breach Response Plan, which sets forth in greater detail the actions that must be taken to prepare for and respond to a breach.  These actions include specifying members of the HHS Breach Response Team,[2] identifying applicable compliance documentation, sharing information as part of a breach response, complying with reporting requirements, assessing the risk of harm to individuals potentially affected by a breach, mitigating the risk of harm to individuals potentially affected by a breach, and notifying individuals potentially affected by a breach.

 

[1] Please review the Health Insurance Portability and Accountability Act (HIPAA) and applicable U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) guidance to determine whether HIPAA applies.  Health Insurance Portability and Accountability Act (HIPAA) of 1996, 45 C.F.R. 164.408. 

[2] Also known as the HHS Privacy Incident Response Team.

 

4. Scope

This Policy applies to HHS’s Federal information and information systems, as defined in the Federal Information Security Modernization Act (FISMA),[1] but does not apply to national security systems, as defined in FISMA.[2]

Within the HHS organizational structure, this Policy applies to all HHS components, including Operating Divisions (“OpDivs”),[3] as well as organizations and users conducting business for and on behalf of HHS through contractual, grant-making, or other relationships.  References to HHS 

encompass all components of HHS.  This Policy does not supersede any applicable law or higher-level Agency directive, nor does it supersede any existing labor management agreement in effect as of the effective date of this Policy.

This Policy also applies to HHS employees, contractor personnel, grant recipients, interns, and other non-government employees supporting HHS.  All organizations collecting or maintaining information or using or operating information systems on behalf of HHS are also subject to this Policy.  To the extent that a grant recipient’s responsibilities with respect to PII align with Federal and contractor responsibilities, their breach response responsibilities must similarly align.  Compliance with this Policy must be incorporated into applicable contract, grant, or memoranda of agreement language under separate cover (e.g., HHS Acquisition Regulation (HHSAR), FISMA guidance such as the HHS Information Systems Security and Privacy Policy (IS2P)), as appropriate.            

While the ultimate authority and decision-making ability for HHS breach response lies with the HHS Secretary and HHS Senior Agency Official for Privacy (SAOP), Breach Response Stakeholders within the OpDivs are responsible for carrying out many of the breach response activities detailed in this Policy.  For the purposes of this Policy, Breach Response Stakeholders may include, but are not limited to, OpDiv Senior Officials for Privacy (SOPs), OpDiv privacy staff, OpDiv security staff, OpDiv system owners, and OpDiv program managers.  Breach response activities carried out by Breach Response Stakeholders will be subject to final approval of the HHS SAOP.  Furthermore, activities that are assigned in this Policy to the HHS SAOP may be carried out by the HHS Office of Privacy and Information Management (PIM) or Breach Response Stakeholders.

OpDivs must adopt and implement this Policy and may create a more restrictive policy, but not one that is less restrictive or less comprehensive than this HHS Policy, or that is not compliant with OMB Memorandum M-17-12.

 

[1] Federal Information Security Modernization Act (FISMA) of 2014, Pub. L. 113-283, 128 Stat. 3073 (Dec. 18, 2014) (primarily codified at 44 U.S.C. chapter 35, subchapter II); OMB. (2016, July 27). Circular No. A-130, Managing Information as a Strategic Resource. Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf.

[2] FISMA. 44 U.S.C. § 3552.

b

[3] For the purposes of this document, references to Operating Divisions (OpDiv) also include Staff Divisions (StaffDiv).  The privacy program of the Office of the Secretary (OS) provides privacy support for HHS StaffDivs, including executing the requirements of this Policy.

5. Authorities

This section contains a list of applicable laws and guidance that are either referenced in this Policy or may prove useful in implementing the procedures detailed in this Policy.

5.1. Federal Laws

  • Federal Information Security Modernization Act (FISMA) of 2014, Pub.  L. 113-283, 128 Stat. 3073 (Dec. 18, 2014) (primarily codified at 44 U.S.C. chapter 35, subchapter II).  Available at: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf.

5.2. Executive Orders, Memoranda, and Directives

  • OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (Jan. 3, 2017). Available at: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf.
  • OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program (Dec. 10, 2018).  Available at: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf.
  • OMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements (Nov. 19, 2019).  Available at: https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf.
  • OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016).  Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf.
  • PPD-41, Annex for Presidential Policy Directive – United States Cyber Incident Coordination (July 26, 2016).  Available at: https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident.
  • OMB Memorandum M-16-14, Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016).  Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-14.pdf.

5.3. Agencies or Sub-Components with Specific Government-wide Guidance

5.3.1. Department of Commerce/National Institute of Standards and Technology (NIST)

  • NIST Special Publication 800-34 (Revision 1), Contingency Planning Guide for Federal Information Systems and Organizations (May 2010).  Available at: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf.
  • NIST Special Publication 800-61 (Revision 2), Computer Security Incident Handling Guide (Aug. 2012).  Available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
  • NIST Special Publication 800-122, Guide to Protecting the Confidentiality of PII (Apr. 2010).  Available at: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf.

5.3.2. Department of Homeland Security (DHS)/United States Computer Emergency Readiness Team (US-CERT)

  • US-CERT Federal Incident Notification Guidelines.  Available at: https://www.us-cert.gov/incident-notification-guidelines.
  • National Cybersecurity and Communications Integration Center (NCCIC) Cyber Incident Scoring System.  Available at: https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System.

5.3.3. General Services Administration (GSA)

  • Identity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA).  Available at: https://www.gsa.gov/portal/content/245911.

6. Policy

6.1  Applicability

To determine this Policy’s applicability, Breach Response Stakeholders will assess whether the information at issue is PII (i.e., whether the information can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual ).[1]  In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available—in any medium or from any source—that would make it possible to identify an individual.[8]

6.2 Training and Awareness Campaigns

HHS will promote breach response awareness throughout the year and will ensure that annual breach awareness training is mandated for all users with access to HHS Federal information and information systems.[3]  The training will describe how to identify and respond to a breach, including the internal process for reporting a breach.[4]  System users—including those with temporary access such as detailees, contractors, grantees, volunteers, and interns—will be required to take training prior to accessing HHS Federal information and information systems and annually thereafter.[5]  Individuals with elevated responsibilities—such as system administrations, supervisors, and employees who have access to or responsibilities for Federal High Value Assets[6]—should also complete role-based training when available.[7]

Prior to being granted access, all employees, contractors, and other individuals with access to Federal information systems must agree to abide by HHS Rules of Behavior for Use of HHS Information Resources, which includes consequences for failing to comply with the reporting requirements.[8]

6.3 Administrative Tasks to Prepare for Breach Response

6.3.1. Privacy Act Routine Uses Required to Respond to a Breach

As a matter of HHS policy, the HHS SAOP or his or her designee must ensure that all Privacy Act system of records notices (SORNs) include routine uses for the disclosure of information necessary to respond to a breach of PII.[9]  The language in updated SORNs must be modeled on the language set forth in the OMB Memorandum M-17-12 and must be as follows:    

To facilitate the agency's response to a suspected or confirmed breach of its own records: “To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.”
To disclose records in their systems of records that may reasonably be needed by another agency in responding to a suspected or confirmed breach: “To another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.”

6.3.2. Contracts and Contractor Requirements for Breach Response

Contracts with entities that collect, maintain, use, or operate Federal information or information systems on behalf of HHS (including on behalf of an OpDiv) must include the following requirements:[10]

  • The contractor must cooperate with and exchange information with HHS officials, as deemed necessary by the HHS Breach Response Team, to report and manage a suspected or confirmed breach.
  • All contractors and subcontractors must properly encrypt PII in accordance with OMB Circular A-130 and other applicable policies, including OpDiv-specific policies, and comply with HHS-specific policies for protecting PII.
  • All contractors and subcontractors must participate in regular training on how to identify and report a breach.
  • All contractors and subcontractors must report a suspected or confirmed breach in any medium as soon as possible and without unreasonable delay, consistent with applicable HHS IT acquisitions guidance, HHS incident management policy, and United States Computer Emergency Readiness Team (US-CERT) notification guidelines.[11]
  • All contractors and subcontractors must be able to determine what Federal information was or could have been accessed and by whom, construct a timeline of user activity, determine methods and techniques used to access Federal information, and identify the initial attack vector.[12]
  • All contractors and subcontractors must allow for an inspection, investigation, forensic analysis, and any other action necessary to ensure compliance with this Policy and the HHS Breach Response Plan (Appendix A), and to assist with responding to a breach.
  • Cloud service providers must use guidance provided in the FedRAMP Incident Communications Procedures when deciding when to report directly to US-CERT first or notify HHS first.
  • The contract must identify roles and responsibilities, in accordance with this Policy and the HHS Breach Response Plan (Appendix A); and,
  • The contract must acknowledge that HHS will not interpret report of a breach, by itself, as conclusive evidence that the contractor or its subcontractor failed to provide adequate safeguards for PII.

The HHS Chief Acquisition Officer (CAO), in coordination with the HHS SAOP, must ensure that contract provisions to assist with the response to a breach are uniform and consistently included in HHS contracts.  In addition, the HHS SAOP and HHS Chief Information Officer (CIO) must ensure that the HHS Breach Response Plan (Appendix A) and system security authorization documentation clearly define the roles and responsibilities of contractors that operate Federal information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII on behalf of HHS.

The HHS Breach Response Team and Breach Response Stakeholders may grant approval to the HHS or OpDiv contractor to notify individuals potentially affected by a breach, as described in the HHS Breach Response Plan (Appendix A), and may require the HHS or OpDiv contractor to take countermeasures to mitigate the risk of harm.[13]  Contractor notification on behalf of HHS must be carried out in accordance with OMB guidance, HHS IT acquisitions guidance, and the HHS Breach Response Plan (Appendix A) and must be coordinated with and subject to prior written approval by the HHS Breach Response Team.[14]

6.3.3. Grants and Grantee Requirements for Breach Response

All HHS grant recipients (including OpDiv grant recipients) that use or operate a Federal information system, or create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII within the scope of a Federal award, must have procedures in place to respond to a breach.  Any award involving the use of Federal data and information must include terms and conditions requiring the recipient to notify and cooperate with the Federal awarding agency to properly escalate, refer, and respond to a breach.[15]

6.3.4. Identifying Logistical and Technical Support to Respond to a Breach

Responsible parties within HHS—including the HHS SAOP, HHS CIO, Heads of OpDivs, and Breach Response Stakeholders—must identify the logistical capabilities (including the ability to notify and provide services to potentially affected individuals) and the technical remediation and forensic analysis capabilities within HHS, and identify the offices that are responsible for those capabilities.  Where there are gaps in HHS’s ability to respond to a breach, responsible parties must communicate with the HHS CAO about the need to enter into contracts to carry out any remaining breach response functions.  Responsible parties can seek support from other Federal agencies—including the National Institute for Standards and Technology (NIST) and the Federal Trade Commission (FTC)—and may request technical assistance from US-CERT.[16]

6.4. Reporting a Suspected or Confirmed Breach

All individuals with access to HHS’s Federal information and information systems must report a suspected or confirmed breach to the OpDiv or HHS as soon as possible and without unreasonable delay, consistent with OpDiv and HHS incident management policies and procedures (including, for example, HHS Computer Security Incident Response Center (CSIRC) Concept of Operations),[17] HHS IT acquisitions guidance, NIST standards and guidelines, US-CERT notification guidelines, Federal Policy for the Protection of Human Subjects (the “Common Rule”),[18] HIPAA, and any other applicable law and guidance.[19]  HHS has established the following communication channels through which individuals can report a suspected or confirmed breach: Phone: 1-866-646-7514; Email: [email protected].[20]  OpDivs may also establish their own communication channels to report a suspected or confirmed breach.[21]

To the extent necessary or appropriate, the HHS SAOP must develop guidance that documents the types of circumstances that do not require reporting a suspected or confirmed breach.[22]

6.5. Breach Response Plan

The HHS SAOP will develop and implement a breach response plan that includes the following information:[23]

  • HHS officials who comprise the HHS Breach Response Team, as well as their respective roles and responsibilities (see Sections 2.1 and 3 of the HHS Breach Response Plan (Appendix A) for additional information);
  • Applicable privacy compliance documentation (see Section 2.2 of the HHS Breach Response Plan (Appendix A) for additional information);
  • Processes for information sharing within HHS, between Federal agencies, or with a non-Federal entity (see Section 2.3 of the HHS Breach Response Plan (Appendix A) for additional information);
  • Reporting requirements (see Section 2.4 of the HHS Breach Response Plan (Appendix A) for additional information);
  • The factors and approach to assessing the risk of harm to potentially affected individuals (see Section 2.5 of the HHS Breach Response Plan (Appendix A) for additional information);
  • Strategies for mitigating the risk of harm to potentially affected individuals (see Section 2.6 of the HHS Breach Response Plan (Appendix A) for additional information); and
  • Approaches to notifying potentially affected individuals (see Section 2.7 of the HHS Breach Response Plan (Appendix A) for additional information).

Pursuant to Sections 6.7, 6.8, and 6.9 of this Policy, the HHS Breach Response Plan (Appendix A) must be reviewed not less than annually and updated as appropriate.  OpDivs may develop and implement their own breach response plan provided the plan is approved by the HHS SAOP and is consistent with the HHS Breach Response Plan (Appendix A), OMB guidance, and applicable law.  OpDiv breach response plans must clearly detail the relationship between the OpDiv-level plan and the HHS Breach Response Plan (Appendix A).

6.6. Tracking and Documenting the Response to a Breach

HHS must develop and maintain a formal process to track and document each breach reported to the agency.  In accordance with the documented process, the HHS SAOP must be made aware of each report of a suspected or confirmed breach in a timely manner.  The Breach Response Stakeholders must keep HHS CSIRC informed of the status of the breach, including when a breach response has concluded, and the outcome of the breach.

HHS will maintain a standard internal reporting template within its Breach Response Tool to track and monitor:

  • The total number of breaches reported over a given period of time;
  • The status for each reported breach, including whether HHS’s response to a breach is ongoing or has concluded;
  • The number of individuals potentially affected by each reported breach;
  • The types of information potentially compromised by each reported breach;
  • Whether HHS, after assessing the risk of harm, provided notification to the individuals potentially affected by a breach;
  • Whether HHS, after considering how best to mitigate the identified risks, provided services to the individuals potentially affected by a breach; and
  • Whether a breach was reported to US-CERT and/or Congress.[24]

6.7. Lessons Learned

At the end of each quarter, HHS CSIRC must provide a report to the HHS SAOP detailing the status of each breach reported during the fiscal year.  The HHS SAOP must review and validate the report for accuracy.  When HHS reports a breach to Congress, the HHS SAOP must convene the HHS Breach Response Team to review the response, identify lessons learned, and implement specific, preventive actions.  The HHS Breach Response Team must document changes to the HHS Breach Response Plan (Appendix A), policies, training, or other documentation resulting from lessons learned.[25]  If there are specific challenges preventing HHS from instituting remedial measures, the HHS Breach Response Team must document those challenges.[26]

6.8. Tabletop Exercises and Annual Plan Reviews

The HHS Breach Response Team must convene periodically, but not less than annually, to hold a tabletop exercise to practice responding to breaches to further refine and validate the HHS Breach Response Plan (Appendix A) and identify potential weaknesses in HHS’s response capabilities.

At the end of each fiscal year, the HHS SAOP must review the reports from CSIRC described in Section 6.6Tracking and Documenting the Response to a Breach” of this Policy to determine whether any modifications to the HHS Breach Response Plan (Appendix A), policies pertaining to PII, trainings, information sharing agreements, SORNs, Privacy Impact Assessments (PIAs), or privacy policies are needed.  The HHS SAOP must review the HHS Breach Response Plan (Appendix A) to ensure that it is current, accurate, and reflects any changes in law, guidance, standards, HHS policy, procedures, staffing, or technology.  OpDivs will be invited to participate in HHS’s tabletop exercises, when applicable, and are encouraged to develop and conduct OpDiv-specific exercises.

6.9. Annual FISMA Reports

HHS must include in its annual FISMA report descriptions of HHS’s implementation of the requirements of OMB Memorandum M-17-12.  At a minimum, HHS must:

  • Confirm that HHS satisfied all requirements in OMB Memorandum M-17-12 for training and awareness with respect to breach reporting or, if not, explain why HHS did not satisfy the requirements and what steps HHS will take to satisfy the requirements in the next reporting period;
  • Submit the number of breaches reported within HHS during the reporting period, the number of breaches reported by HHS CSIRC to US-CERT, and the number of breaches reported by the agency to Congress, as well as the number of potentially affected individuals;
  • Submit the HHS Breach Response Plan (Appendix A) and certify that the plan has been reviewed and updated over the past 12 months, as appropriate;
  • Submit the names and titles of the HHS Breach Response Team members and identify those individuals who were removed from the Team or added to the Team over the past 12 months; and
  • Confirm that the members of the HHS Breach Response Team participated in at least one tabletop exercise during the reporting period or, if not, explain why and what steps the HHS SAOP will take to ensure that the HHS Breach Response Team participates in a tabletop exercise during the next reporting period.[27]

7. Roles and Responsibilities

The following sets forth the roles and high-level responsibilities that various stakeholders must undertake regarding a suspected or confirmed breach of PII.

Please note that, as set forth in Section 4 of this Policy, much of the ultimate authority and decision-making ability for HHS breach response lies with the HHS SAOP and HHS Secretary, who are empowered to delegate components of their responsibilities to an assigned designee.  Many of the responsibilities for breach response will be carried out by Breach Response Stakeholders within the OpDivs.

7.1. HHS Secretary

The responsibilities of the HHS Secretary are set forth in the HHS Breach Response Plan (Appendix A).

7.2. HHS Senior Agency Official for Privacy (SAOP)

The responsibilities of the HHS SAOP include, but are not limited to, the following:

  1. Work with the HHS Privacy Act Officer to ensure that all HHS SORNs include the two routine uses prescribed in OMB Memorandum M-17-12 to permit disclosure of information necessary to respond to a breach of HHS’s PII. .[28]  (See Policy Section 6.3.1 above for additional information)
  2. In coordination with the HHS CAO, ensure that contract provisions to assist with the response to a breach are uniform and consistently included in HHS contracts.[29]  In coordination with the HHS CIO, ensure that the HHS Breach Response Plan (Appendix A) and system security authorization documentation clearly define the roles and responsibilities of contractors that operate Federal information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII on behalf of HHS.[30]  (See Policy Section 6.3.2 above for additional information)
  3. In coordination with the HHS CIO, Heads of OpDivs, and Breach Response Stakeholders, identify the logistical, technical remediation, and forensic analysis capabilities that exist within HHS and the offices responsible for maintaining those capabilities.[31]  (See Policy Section 6.3.4 above for additional information)
  4. In coordination with the HHS CIO, Heads of OpDivs, and Breach Response Stakeholders, communicate with the HHS CAO about the need to enter into contracts to carry out any remaining breach response functions where there are gaps in HHS’s ability to respond to a breach.[32]  (See Policy Section 6.3.4 above for additional information)
  5. In coordination with the HHS CIO, Heads of OpDivs, and Breach Response Stakeholders, consider whether other Federal agencies can support HHS in the event of a breach.[33]  (See Policy Section 6.3.4 above for additional information)
  6. To the extent necessary or appropriate, develop guidance that documents the limited circumstances under which the requirement to report a suspected or confirmed breach to HHS is not triggered.[34]  (See Policy Section 6.4 above for additional information)
  7. Develop and implement an HHS Breach Response Plan (Appendix A) to effectively and efficiently respond to a breach at HHS.[35]  (See Policy Section 6.5 above for additional information)
  8. When applicable, approve the breach response plan prepared by an HHS OpDiv.[36]  (See Policy Section 6.5 above for additional information)
  9. At the end of each quarter, review and validate the HHS CSIRC report detailing the status of each breach reported during the fiscal year.[37]  (See Policy Section 6.7 above for additional information)
  10. When HHS reports a breach to Congress, convene the HHS Breach Response Team to formally review the HHS response to the breach, identify any lessons learned, and implement specific, preventable actions.[38]  (See Policy Section 6.7 above for additional information)
  11. At the end of each fiscal year, review CSIRC reports to determine whether any modifications to the HHS Breach Response Plan (Appendix A), policies pertaining to PII, trainings, information sharing agreements, SORNs, PIAs, or privacy policies are needed.[39]  (See Policy Section 6.8 above for additional information)
  12. Review the HHS Breach Response Plan (Appendix A) to confirm that it is current, accurate, and reflects changes in law, guidance, standards, applicable HHS policies, procedures, staffing, or technology.[40]  (See Policy Section 6.8 above for additional information)
  13. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.3. HHS Chief Information Officer (CIO)

The responsibilities of the HHS CIO include, but are not limited to, the following:

  1. In coordination with the HHS SAOP, ensure that the HHS Breach Response Plan (Appendix A) and system security authorization documentation clearly define the roles and responsibilities of contractors that operate Federal information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII on behalf of HHS.[41]  (See Policy Section 6.3.2 above for additional information)
  2. In coordination with the HHS SAOP, Heads of OpDivs, and Breach Response Stakeholders, identify the logistical, technical remediation, and forensic analysis capabilities that exist within HHS and the offices responsible for maintaining those capabilities.[42]  (See Policy Section 6.3.4 above for additional information)
  3. In coordination with the HHS SAOP, Heads of OpDivs, and Breach Response Stakeholders, communicate with the HHS CAO about the need to enter into contracts to carry out any remaining breach response functions where there are gaps in HHS’s ability to respond to a breach.[43]  (See Policy Section 6.3.4 above for additional information)
  4. In coordination with the HHS SAOP, Heads of OpDivs, and Breach Response Stakeholders, consider whether other Federal agencies can support HHS in the event of a breach.[44]  (See Policy Section 6.3.4 above for additional information)
  5. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.4. HHS Chief Acquisition Officer (CAO)

The responsibilities of the HHS CAO include, but are not limited to, the following:

  1. In coordination with the HHS SAOP, ensure that contract provisions to assist with the response to a breach are uniform and consistently included in HHS contracts.[45]  (See Policy Section 6.3.2 above for additional information)
  2. Assist responsible parties with entering into contracts, as needed, to carry out any remaining breach response functions where there are gaps in HHS’ ability to respond to a breach. (See Policy section 6.3.4 above for additional information)

7.5. HHS Chief Information Security Officer (CISO)

The responsibilities of the HHS CISO are set forth in the HHS Breach Response Plan (Appendix A).

7.6. HHS Computer Security Incident Response Center (CSIRC)

The responsibilities of the HHS CSIRC include, but are not limited to, the following:

  1. At the end of each fiscal quarter, provide a report to the HHS SAOP detailing the status of each breach reported to HHS CSIRC during the fiscal year.[46]  (See Policy Section 6.7 above for additional information)
  2. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.7. HHS Operating Divisions (OpDivs)

The responsibilities of the HHS OpDivs include, but are not limited to, the following:

  1. Adopt and implement the HHS Breach Response Policy.  (See Policy Section 4 above for additional information)
  2. As applicable, obtain HHS SAOP approval prior to implementing an OpDiv-specific breach response plan, and ensure that the OpDiv-specific breach response plan is consistent with the requirements of the HHS Breach Response Plan (Appendix A), OMB guidance, and applicable law.[47]  (See Policy Section 6.5 above for additional information)
  3. When invited, participate in HHS’s tabletop exercises.[48]  (See Policy Section 6.8 above for additional information)
  4. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.8. Heads of Operating Divisions (OpDivs)

The responsibilities of Heads of OpDivs include, but are not limited to, the following:

  1. In coordination with the HHS SAOP, HHS CIO, and Breach Response Stakeholders, identify the logistical, technical remediation, and forensic analysis capabilities that exist within HHS and the offices responsible for maintaining those capabilities.[49]  (See Policy Section 6.3.4 above for additional information)
  2. In coordination with the HHS SAOP, HHS CIO, and Breach Response Stakeholders, communicate with the HHS CAO about the need to enter into contracts to carry out any remaining breach response functions where there are gaps in HHS’s ability to respond to a breach.[50]  (See Policy Section 6.3.4 above for additional information)
  3. In coordination with the HHS SAOP, HHS CIO and Breach Response Stakeholders, consider whether other Federal agencies can support HHS in the event of a breach.[51]  (See Policy Section 6.3.4 above for additional information)
  4. In coordination with Breach Response Stakeholders, where there are gaps in an OpDiv’s ability to respond to a breach, assess whether the lacking breach response capabilities can be addressed at the OpDiv level.  If additional breach response capabilities are needed HHS- or enterprise-wide or involve the use of a GSA BPA, communicate with the CAO about these outstanding needs.  (See Policy Section 6.3.4 above for additional information)
  5. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.9. Contractors and Subcontractors 

The responsibilities of all contractors and subcontractors include, but are not limited to, the following:

  1. When approved by the HHS Breach Response Team and Breach Response Stakeholders, notify any potentially affected individuals when PII that is created, collected, used, processed, stored, maintained, disseminated, disclosed, or disposed of by a contractor or by a subcontractor on behalf of HHS is involved in a breach.[52]  Notification must be carried out in accordance with OMB guidance and the HHS Breach Response Plan (Appendix A) and coordinated with and subject to prior written approval by the HHS Breach Response Team.[53]  (See Policy Section 6.3.2 above for additional information)
  2. When required by the HHS Breach Response Team and Breach Response Stakeholders, take countermeasures to mitigate the risk of harm to individuals potentially affected by a breach.[54]  (See Policy Section 6.3.2 above for additional information)
  3. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.10. HHS Grant Recipients

The responsibilities of HHS grant recipients (including OpDiv grant recipients) include, but are not limited to, the following:

  1. Ensure procedures are in place to respond to a breach.[55]  (See Policy Section 6.3.3 above for additional information)

7.11. HHS Breach Response Team

The responsibilities of the HHS Breach Response Team include, but are not limited to, the following:

  1. As applicable and in coordination with Breach Response Stakeholders, grant approval to an HHS or OpDiv contractor to notify individuals potentially affected by a breach, as described in the HHS Breach Response Plan (Appendix A).  The HHS Breach Response Team and Breach Response Stakeholders may also require the HHS or OpDiv contractor to take countermeasures to mitigate the risk of harm to potentially affected individuals.[56]  (See Policy Section 6.3.2 above for additional information)
  2. When convened after HHS reports a breach to Congress, review the response, identify lessons learned, and implement specific, preventive actions.[57]  (See Policy Section 6.7 above for additional information)
  3. Document changes to the HHS Breach Response Plan (Appendix A), policies, training, or other documentation resulting from lessons learned.  Document any specific challenges preventing HHS from instituting remedial measures.[58]  (See Policy Section 6.7 above for additional information)
  4. Convene periodically, but not less than annually, to hold a tabletop exercise to practice responding to breaches to further refine and validate the HHS Breach Response Plan (Appendix A) and identify any potential weaknesses in HHS’s response capabilities.[59]  (See Policy Section 2.8 above for additional information)
  5. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.12. Breach Response Stakeholders

The responsibilities of HHS Breach Response Stakeholders[60] include, but are not limited to, the following:

  1. Assess whether the information at issue in a breach is PII in order to determine this Policy’s applicability.  (See Policy Section 6.1 above for additional information)
  2. As applicable and in coordination with the HHS Breach Response Team, grant approval to an HHS or OpDiv contractor to notify individuals potentially affected by a breach, as described in the HHS Breach Response Plan (Appendix A).  The HHS Breach Response Team and Breach Response Stakeholders may also require the HHS or OpDiv contractor to take countermeasures to mitigate the risk of harm to potentially affected individuals.[61]  (See Policy Section 6.3.2 above for additional information)
  3. In coordination with the HHS SAOP, HHS CIO, and Heads of OpDivs, identify the logistical, technical remediation, and forensic analysis capabilities that exist within HHS and the offices responsible for maintaining those capabilities.[62]  (See Policy Section 6.3.4 above for additional information)
  4. In coordination with the HHS SAOP, HHS CIO, and Heads of OpDivs, communicate with the HHS CAO about the need to enter into contracts to carry out any remaining breach response functions where there are gaps in HHS’s ability to respond to a breach.[63]  (See Policy Section 6.3.4 above for additional information)
  5. In coordination with the HHS SAOP, HHS CIO, and Heads of OpDivs, consider whether other Federal agencies can support HHS in the event of a breach.[64]  (See Policy Section 6.3.4 above for additional information)
  6. In coordination with Heads of OpDivs, where there are gaps in an OpDiv’s ability to respond to a breach, assess whether the lacking breach response capabilities can be addressed at the OpDiv level.  If additional breach response capabilities are needed HHS- or enterprise-wide or involve the use of a GSA BPA, communicate with the CAO about these outstanding needs.  (See Policy Section 6.3.4 above for additional information)
  7. Keep HHS CSIRC informed of the status of an ongoing breach response and of the determination for when the response to a breach has concluded.[65]  (See Policy Section 6.6 above for additional information)
  8. Additional specific responsibilities as set forth in the HHS Breach Response Plan (Appendix A).

7.13. Notifying Official

The responsibilities of the Notifying Official are set forth in the HHS Breach Response Plan (Appendix A).

7.14. HHS System Users

The responsibilities of HHS system users (individuals with access to HHS Federal information and information systems) include, but are not limited to, the following:[66]

  1. Complete breach response training. (See Policy Section 6.2 above for additional information)
  2. Report all suspected or confirmed breaches to the OpDiv or HHS, as set forth in the HHS Breach Response Plan (Appendix A), as soon as possible and without unreasonable delay, without waiting for confirmation that a breach occurred.  Reporting must be consistent with OpDiv and HHS incident management policies and procedures, HHS IT acquisitions guidance, NIST standards and guidelines, and US-CERT notification guidelines.[67]  (See Policy Section 6.4 above for additional information)

7.15. HHS Legal Counsel

The responsibilities of the designated HHS legal counsel are set forth in the HHS Breach Response Plan (Appendix A).

7.16. HHS Legislative Affairs Official

The responsibilities of the designated HHS legislative affairs official are set forth in the HHS Breach Response Plan (Appendix A).

7.17. HHS Communications Official

The responsibilities of the designated HHS communications official are set forth in the HHS Breach Response Plan (Appendix A).

8. Information and Assistance

The HHS Office of Privacy and Information Management (PIM) is responsible for the development and management of this Policy.  Questions, comments, suggestions, and requests for information about this policy should be directed to [email protected].

9. Effective Date and Implementation

The effective date of this Policy is the date on which the policy is approved.  This Policy must be reviewed, at a minimum, every three (3) years from the approval date. 

The HHS CIO has the authority to grant a one (1) year extension of the Policy

To archive this Policy, approval must be granted, in writing, by the HHS CIO.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.”  It is HHS’s policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the HHS’s plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

 

10. Approval

/S/

José Arrieta, Chief Information Officer (CIO)  

May 27, 2020

11. Concurrence

/S/

Scott Rowell, Assistant Secretary for Administration (ASA)

June 02, 2020
 

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No standards are required to comply with this policy.

 

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

1. Factors for Assessing the Risk of Harm to Individuals Potentially Affected by a Breach

Nature and Sensitivity of Personally Identifiable Information (PII)

 

Question

Additional Guidance

Data Elements

What is the sensitivity level of each individual data element that was breached or potentially breached?

 

 

 

 

 

When combined, do the data elements pose a greater risk of harm to the individual? 

Certain data elements are particularly sensitive and may alone present an increased risk of harm to the individual.  These data elements include, but are not limited to, Social Security Numbers (SSN), passport numbers, driver's license numbers, state identification numbers, bank account numbers, passwords, and biometric identifiers.

 

This consideration should include information that may have been potentially compromised in a previous breach, and any other available information that might result in an increased risk of harm to individuals.

Context

What was the context of the potentially breached information? 

The context includes the purpose for which the PII was collected, maintained, and used.

Private Information

To what extent would this type of PII constitute information that an individual would generally keep private?

Examples of private information include: derogatory personnel or criminal information; personal debt and finances; medical conditions; treatment for mental health; pregnancy related information including pregnancy termination; sexual history or sexual orientation; adoption or surrogacy information; and immigration status.  Passwords are another example of private information that if involved in a breach may present a risk of harm.

Vulnerable Populations

Are the potentially affected individuals from a particularly vulnerable population that may be at greater risk of harm than the general population?

Potentially vulnerable populations include, but are not limited to: children; active duty military; government officials in sensitive positions; senior citizens; individuals with disabilities; confidential informants; witnesses; certain populations of immigrants; non-English speakers; and victims of certain crimes such as identity theft, child abuse, trafficking, domestic violence, or stalking.  This is not a comprehensive list and other populations may also be considered vulnerable.

Permanence

What is the permanence of the PII?  Will the information, for example, permanently identify an individual, and remain relevant and useful over time?

Special considerations are warranted, for example, when a breach involves biometric or health information.

 

 

Likelihood of Access and Use of PII

 

Question

Additional Guidance

Security Safeguards

What security safeguards were implemented to protect the breached information?

If the information was encrypted:

  • What was the degree of encryption?
  • At what level was the encryption applied?
  • Were decryption keys controlled, managed, and used? 

Examples may include encryption, redaction, data masking, and remote wiping of a connected device, in addition to physical safeguards.

 

Format and Media

What was the format and media of the PII?

Examples may include a spreadsheet on a portable USB flash drive or a magnetic tape cartridge used for backing up servers.

Duration of Exposure

How long was the PII exposed? 

Duration can be measured by the length of time PII was left exposed on a website or unattended in a public space (e.g., two hours, four days, etc.).

Evidence of Misuse

Is there evidence of misuse of the breached information?

Examples may include distribution of information to malicious actors or posting information to a public website.

 

 

Type of Breach

 

Question

Additional Guidance

Intent

Was the breach intentional, unintentional, or is the intent unknown? 

Intent may be indicated by the circumstances surrounding the breach, such as the actor and whether there is any evidence of misuse.

Recipient

Who received the compromised PII?

Examples may include: HHS employees or contractors only; members of the public; and external partners, including state and federal agencies and other entities with formal data sharing agreements.

 

2. Examples of Guidance HHS May Offer*

Active Duty AlertService members who deploy can place an active duty alert on their credit reports to help minimize the risk of identity theft.  These types of alerts on a credit report mean businesses have to take extra steps before granting credit to an individual.  Active duty alerts last for one year, and can be renewed by the service member to match the period of their deployment.

Credit Freeze:  A credit freeze restricts access to an individual’s credit report.  When offering this type of guidance, Breach Response Stakeholders should be aware that because access to a credit report is usually required by creditors, a credit freeze can prevent creditors from approving a new account.

Credit Freezes for Children:  Guardians are sometimes able to place a freeze on a child’s credit, even if the child does not yet have a credit history.  Several states mandate that all credit bureaus provide this option.  Outside those states, the option may still be available depending on the credit bureau.  In these instances, guardians may have to provide additional information about themselves as well as the child in order to show the relationship.

Closing or Changing Accounts:  Individuals should immediately dispute any unauthorized charges to existing accounts, including closing or changing account numbers so that unauthorized activity does not continue.  This will not prevent new unauthorized accounts of which individuals may be unaware.

Obtaining a Free Credit ReportIndividuals can obtain a free credit report yearly from each of the three national credit bureaus (Equifax, Experian, and Trans Union) from annualcreditreport.com or by calling the credit reporting agencies’ toll-free numbers.  Individuals should review their credit reports for any accounts they do not recognize.

Cyber HygieneBreach Response Stakeholders must also consider providing individuals with resources on good cyber hygiene (e.g., setting up multi-factor authentication, using complex passwords).  Resources include: DHS’s STOP.THINK.CONNECT. Campaign at: https://www.dhs.gov/stopthinkconnect or https://www.ftc.gov/onguardonline; US-CERT’s tips on protecting privacy at: https://www.us-cert.gov/ncas/tips/ST04-013; and US-CERT’s tips on preventing online identity theft at: https://www.us-cert.gov/ncas/tips/ST05-019.

Deceased AlertsDeceased individuals can be at heightened risk for identity fraud that may impact the deceased individual’s estate.  This creates liability for a surviving spouse if, for example, his or her name is on joint accounts.  To prevent this, death certificates can be sent to the Internal Revenue Service (IRS) as well as the major credit bureaus, with a request to place a “deceased alert” on the account to prevent new activity.

Fraud Alert:  A fraud alert tells creditors that they must take reasonable steps to verify the identity of the individual who is applying for credit.  A fraud alert also allows individuals to order one free copy of the individual’s credit report from each of the three national credit bureaus.  To place this alert, individuals can contact one of the three national credit bureaus, who must then notify the others.  The initial fraud alert stays on the credit report for 90 days and can be renewed.

FTC.gov/idtheft:  The FTC’s website provides free identity theft resources for individuals as well as community leaders, businesses, advocates, and law enforcement to share in their communities.  The website includes resources on proactive steps individuals can take to monitor and protect their information and educate themselves on the different types of identity theft and the resources available to protect against and recover from identity theft.

IdentityTheft.gov:  This is the Federal Government’s one-stop resource for identity theft victims.  Individuals can use the website to report identity theft and get a personalized recovery plan that walks them through each step, updates the plan as needed, and pre-fills letters and forms.  It also advises individuals on steps they can take to prevent identity theft when they receive notice that their PII has been compromised.  The website is managed by the FTC and is integrated with the FTC’s complaint system, which makes the complaint information available to law enforcement across the country through Consumer Sentinel, a secure online database available to law enforcement.

Tax Fraud:  HHS may consider recommending that individuals file an IRS Identity Theft Affidavit (Form 14039) to prevent an identity thief from using compromised PII to falsely claim the individual’s tax refund.

3. Examples of Services HHS May Offer+

Credit MonitoringMany companies, including credit reporting agencies, offer this service as a subscription for a defined period of time.  The service includes monitoring an individual’s credit report and notifying the potentially affected individual, usually via email, when new activity is reported to their credit report.  Credit monitoring notifies individuals that compromised information may have been used to open a new credit account using their information.  It does not monitor other non-credit-based risks for misuse of compromised information.

Identity MonitoringThese services monitor the use of an individual’s overall identity beyond information contained in a credit report.  This monitoring generally tracks whether the individual’s information has been exposed online, in addition to monitoring other databases, which may include information related to change of address, court records, payday loans, health, criminal, and other identifying information beyond just financial credit information.  These more comprehensive services mitigate risks of the non-credit identity thefts outlined above.  Each company provides different monitoring services, so Breach Response Stakeholders must ensure that monitoring options are appropriate given the compromised information.  The effectiveness of the monitoring will depend on factors such as the databases monitored, the amount and accuracy of the information in the databases, and how often the company checks the databases.

Full-Service Identity Counseling and Remediation Services:  These are additional services that provide trained counselors or case managers to help individuals recover from identity theft.  The services may include assisting individuals with preventing pre-screened offers of credit, helping consumers dispute charges and removing fraudulent information, and providing legal assistance.  Generally, individuals authorize companies offering these services to act on their behalf.

Identity Theft Insurance:  Insurance reimburses individuals for certain losses resulting from identity theft.  Generally, this insurance covers only out-of-pocket expenses directly associated with recovery from the identity theft.  Typically, these are limited to things like postage, copying and notary costs.  Some policies cover lost wages or legal fees.  Generally, these policies do not provide reimbursement for any funds that are stolen as a result of the identity theft.  Breach Response Stakeholders must understand what they are purchasing and communicate clearly within any guidance provided the details of what the insurance covers as well as any limitations and exclusions to the potentially affected individuals.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No forms and templates are associated with this policy.

Glossary* and Acronyms

Definitions:

  • Breach:  The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: (1) a person other than an authorized user accesses or potentially accesses personally identifiable information, or (2) an authorized user accesses personally identifiable information for an other than authorized purpose.
  • Breach Response Plan:  The agency's formal document that includes the policies and procedures that must be followed with respect to reporting, investigating, and managing a breach.
  • Breach Response Stakeholders: For the purposes of this document, Breach Response Stakeholders may include, but are not limited to, OpDiv Senior Officials for Privacy (SOPs), OpDiv privacy staff, OpDiv security staff, OpDiv system owners, and OpDiv program managers.
  • Breach Response Team:  The group of agency officials designated by the head of the agency that the agency may convene to respond to a breach.  Once convened, the SAOP is responsible for leading the Breach Response Team's response to a breach.
  • Federal Information:  Information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form.
  • Federal Information System:  An information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency.
  • Incident:  An occurrence that: (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
  • Personally Identifiable Information:  Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.
  • Senior Agency Official for Privacy:  The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency's development and evaluation of legislative, regulatory, and other policy proposals.

Acronyms:

  • BPA Blanket Purchase Agreement
  • CAO Chief Acquisitions Officer
  • CIO Chief Information Officer
  • CSIRC Computer Security Incident Response Center
  • DHS Department of Homeland Security
  • FAQ Frequently Asked Questions
  • FISMA Federal Information Security Modernization Act
  • FTC Federal Trade Commission
  • GSA General Services Administration
  • HITECH Health Information Technology for Economic and Clinical Health Act
  • HHS Department of Health and Human Services
  • HHSAR Department of Health and Human Services Acquisition Regulation
  • IPS Identity Protection Services
  • IRS Internal Revenue Service
  • IT Information Technology
  • NIST National Institute for Standards and Technology
  • OCIO Office of the Chief Information Officer
  • OCR Office for Civil Rights
  • OMB Office of Management and Budget
  • OpDiv Operating Division
  • PHI Protected Health Information
  • PIA Privacy Impact Assessment
  • PII Personally Identifiable Information
  • PPD Presidential Policy Directive
  • SAOP Senior Agency Official for Privacy
  • SOC Security Operation Center
  • SORN System of Records Notice
  • SSN – Social Security Number
  • StaffDiv Staffing Division
  • TDD Telecommunications Device for the Deaf
  • US United States
  • US-CERTUnited States Computer Emergency Readiness Team
 

[1] Examples of PII include, but are not limited to, name, Social Security number (SSN), date of birth, mother’s maiden name, financial records, email address, driver’s license number, passport number, and health information.

[2] OMB. (2017, January 3). Preparing for and Responding to a Breach of Personally Identifiable Information, M-17-12, pg. 8, III.B. Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-12_0.pdf.

[3] For more information on training and awareness, please see the HHS Information Systems Security and Privacy Policy (IS2P) -- 2014 edition.

[4] OMB M-17-12, pg. 10; IV.

[5] For the purposes of this Policy, system users are defined as individuals authorized to access an information system. This definition was adapted from Federal Information Processing Standards (FIPS). (2006, March). Minimum Security Requirements for Federal Information and Information Systems, Publication 200. Available at: https://doi.org/10.6028/NIST.FIPS.200.

[6] For information regarding High Value Assets (HVAs), see: OMB. (2018, December 10). Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program, M-19-03). Available at: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf. For additional information, see HHS Office of the Chief Information Officer. (2019, Sept. 10). HHS Policy for the High Value Asset (HVA) Program.

[7] OMB M-17-12, pg. 10; IV.

[8] OMB M-17-12, pg. 15; VI.

[9] The HHS SAOP or his or her designee works with the HHS Privacy Act Officer to ensure that all SORNs continue to include routine uses for the disclosure of information necessary to respond to a breach of PII.

[10] Please refer to the HHS Security and Privacy Language for Information and Information Technology Procurements for additional guidance on language to include in contracts.

[11] US-CERT Federal Incident Notification Guidelines. Available at: https://www.us-cert.gov/incident-notification-guidelines.

[12] Actions taken must be carried out in accordance with the terms of the HHS information technology (IT) acquisitions guidance.

[13] OMB M-17-12, pg. 13; V.B.

[14] OMB M-17-12, pg. 13; V.B.

[15] OMB M-17-12, pg. 13; V.C.

[16] Where there are gaps in an OpDiv’s ability to respond to a breach, Heads of OpDivs and Breach Response Stakeholders should first assess whether the lacking breach response capabilities can be addressed at the OpDiv level. If additional breach response capabilities are needed HHS- or enterprise-wide or involve the use of a General Services Administration (GSA) Blanket Purchase Agreement (BPA), the Heads of OpDivs and Breach Response Stakeholders should communicate with the CAO about these outstanding needs.

OMB M-17-12, pg. 14; V.D.

[17] HHS Computer Security Incident Response Center (CSIRC). (2010, June 10). Concept of Operations. Available at: https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2019-04/HHS_CSIRC_CONOPS_06_09_2010.pdf.

[18] Protection of Human Subjects, 45 C.F.R. § 46 (Jan. 1, 2009).

[19] OMB M-17-12, pg. 14; VI.

[20] OMB M-17-12, pg. 15; VI.

[21] Please contact your OpDiv Privacy Program or Security Incident Response Team for guidance on how to report a breach within your OpDiv.

[22] OMB M-17-12, pg. 15; VI.

[23] OMB M-17-12, pg. 15; VI.

[24] OMB M-17-12, pg. 34-35; VIII.

[25] OMB M-17-12, pg. 35; IX.

[26] OMB M-17-12, pg. 35; IX.

[27] OMB M-17-12, pg. 36; XI.

[28] OMB M-17-12, pgs. 10-11; V.A.

[29] OMB M-17-12, p. 12; V.B.

[30] OMB M-17-12, p. 12; V.B.

[31] OMB M-17-12, pg. 14; V.D.

[32] OMB M-17-12, pg. 14; V.D.

[33] OMB M-17-12, pg. 14; V.D.

[34] OMB M-17-12, pg. 15; VI.

[35] OMB M-17-12, pg. 15; VII.

[36] OMB M-17-12, pg. 16; VII.

[37] OMB M-17-12, pg. 35; IX.

[38] OMB M-17-12, pg. 35; IX.

[39] OMB M-17-12, pg. 35; IX.

[40] OMB M-17-12, pg. 36; X.

[41] OMB M-17-12, pg. 12; V.B.

[42] OMB M-17-12, pg. 14; V.D.

[43] OMB M-17-12, pg. 14; V.D.

[44] OMB M-17-12, pg. 14; V.D.

[45] OMB M-17-12, pg. 12; V.B.

[46] OMB M-17-12, pg. 35; IX.

[47] OMB M-17-12, pg. 16; VII.

[48] OMB M-17-12, pg. 35; X.A.

[49] OMB M-17-12, pg. 14; V.D.

[50] OMB M-17-12, pg. 14; V.D.

[51] OMB M-17-12, pg. 14; V.D.

[52] OMB M-17-12, pg. 30; VII.G.1.

[53] OMB M-17-12, pg. 13; V.B.

[54] OMB M-17-12, pg. 13; V.B.

[55] OMB M-17-12, pg. 13; V.C.

[56] OMB M-17-12, pg. 13; V.B.

[57] OMB M-17-12, pg. 35; IX.

[58] OMB M-17-12, pg. 35; IX.

[59] OMB M-17-12, pg. 35, X.A.

[60] Breach Response Stakeholders include, but are not limited to, OpDiv Senior Officials for Privacy (SOPs), OpDiv privacy staff, OpDiv security staff, OpDiv system owners, and OpDiv program managers.

[61] OMB M-17-12, pg. 13; V.B.

[62] OMB M-17-12, pg. 14; V.D.

[63] OMB M-17-12, pg. 14; V.D.

[64] OMB M-17-12, pg. 14; V.D.

[65] OMB M-17-12, pg. 34; VIII.

[66] For the purposes of this Policy, system users are defined as individuals authorized to access an information system. This definition was adapted from Federal Information Processing Standards (FIPS). (2006, March). Minimum Security Requirements for Federal Information and Information Systems, Publication 200. Available at: https://doi.org/10.6028/NIST.FIPS.200.

[67] OMB M-17-12, pg. 14; VI.

[68] For the purposes of this document, references to Operating Divisions (OpDiv) also include Staff Divisions (StaffDiv).  The privacy program of the Office of the Secretary (OS) provides privacy support for U.S. Department of Health and Human Services (HHS) StaffDivs, including executing the requirements of this Plan.

[69] Federal Information means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form. Federal Information System means an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency. Federal Information Security Modernization Act (FISMA) of 2014, Pub. L. 113-283, 128 Stat. 3073 (Dec. 18, 2014) (primarily codified at 44 U.S.C. chapter 35, subchapter II); Office of Management and Budget (OMB). (2016, July 27). Circular No. A-130, Managing Information as a Strategic Resource. Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf.

[70] 44 U.S.C. § 3552.

[71] Examples of a breach include, but are not limited to, the loss or theft of a Government-furnished device containing PII, an employee reading a paper file containing PII without a need to know, and hackers accessing HHS PII.

[72] OMB. (2017, January 3). Preparing for and Responding to a Breach of Personally Identifiable Information, M-17-12, p. 16, VII.A (hereinafter OMB M-17-12). Available at: Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-12_0.pdf.

[73] OMB M-17-12, pg. 17; VII A.

[74] As defined by OMB guidance, a “major incident” is “EITHER: I. Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.  Agencies should determine the level of impact of the incident by using the existing incident management process established in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Computer Security Incident Handling Guide, OR, II. A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.  While agencies should assess each breach on a case-by-case basis to determine whether the breach meets the definition of a major incident, this memorandum requires a determination of major incident for any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access the PII of 100,000 or more people.”  For more information, please see: OMB. (2019, November 19). Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements, M-20-04. Available at: https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf.

[75] Risk is determined using the formula: Risk = Likelihood x Impact. Likelihood is determined by considering the nature and cause of threats and vulnerabilities. Factors that govern the likelihood of threat exploitation include threat capability, frequency of threat occurrence, and effectiveness of existing countermeasures. Impact refers to the magnitude of potential harm from threat exploitation; it is the value of the resource at risk, both in terms of its inherent (replacement) value and its importance (criticality) to the HHS mission. The criticality and sensitivity of information is a useful guide for assessing the potential impact of an exploited vulnerability. The factors for assessing risk of harm to individuals potentially affected by a breach, as outlined in Section 2.5 below, can assist with determining the risk rating, but risk to HHS and to the Federal government at large, for example, must be considered as well.

[76] OMB M-17-12, pg. 17; VII A.

[77] OMB M-17-12, pg. 20; VII D. The Breach Response Team’s membership will be updated and maintained in the Breach Response Team Charter.

[78] OMB M-17-12, pg. 17; VII A.

[79] OMB M-17-12, pg. 18; VII B.

[80] OMB M-17-12, pg. 18; VII B.

[81] OMB M-17-12, pg. 18; VII C. Please also see relevant HHS IT acquisitions guidance for additional information sharing requirements, including the requirement that contractors “[p]rovide full access and cooperate on all activities as determined by the Government to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents.”

[82] OMB M-17-12, pg. 18; VII C.

[83] OMB M-17-12, pg. 19; VII D.

[84] HHS Office of the Chief Information Officer (OCIO). (2014, July 30). Information Systems Security and Privacy Policy (IS2P). Available at: https://intranet.hhs.gov/technical-support/cybersecurity/policies-standards-memoranda-guides/policies.

[85] HHS Security Incident Response Center (CSIRC). (2010, June 10). Concept of Operations. Available at: https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2019-04/HHS_CSIRC_CONOPS_06_09_2010.pdf.

[86] OMB M-17-12, pg. 19; VII D.

[87] OMB M-17-12, pg. 19; VII D.

[88] OMB M-17-12, pg. 20; VII D.

[89] OMB M-17-12, pg. 20; VII D.

[90] OMB M-17-12, pg.  20; VII E.

[91] OMB M-17-12, pg. 20; VII E.

[92] Privacy Act of 1974, Pub. L. 93-579, 88 Stat. 1896 (Dec. 31, 1974) (primarily codified at 5 U.S.C. chapter 5, subchapter 2); OMB. (2016, July 27). Circular No. A-130, Managing Information as a Strategic Resource, p. 21. Available at: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf.

[93] OMB M-17-12, pg. 21; VII E.

[94] OMB M-17-12, pg. 21; VII E.

[95] OMB M-17-12, pg. 21; VII E.

[96] OMB M-17-12, pg. 22; VII E.

[97] OMB M-17-12, pg. 22; VII E.

[98] OMB M-17-12, pg. 22; VII E.

[99] OMB M-17-12, pg. 22; VII E.

[100] OMB M-17-12, pg. 22; VII E.

[101] OMB M-17-12, pg. 23; VII E.

[102] OMB M-17-12, pg. 23; VII E.

[103] OMB M-17-12, pg. 23; VII E.

[104] OMB M-17-12, pg. 23; VII E.

[105] OMB M-17-12, pg. 24; VII E.

[106] OMB M-17-12, pg. 25; VII E.

[107] OMB M-17-12, pg. 25; VII E.

[108] OMB M-17-12, pg. 25; VII E.

[109] OMB M-17-12, pgs. 25-26; VII E.

[110] OMB M-17-12, pg. 26; VII E.

[111] OMB M-17-12, pg. 26; VII E.

[112] OMB M-17-12, pg. 26; VII E.

[113] OMB M-17-12, pg. 26; VII E.

[114] OMB M-17-12, pg. 27; VII E.

[115] OMB M-17-12, pg. 27; VII E.

[116] OMB M-17-12, pg. 27; VII.F.

[117] OMB M-17-12, pg. 27; VII.F.

[118] OMB M-17-12, pg. 28; VII.F.1.

[119] OMB M-17-12, pg. 28; VII F.

[120] The Federal Trade Commission (FTC) provides specific guidance for when a breach involves Social Security numbers (SSNs), payment card information, bank accounts, driver's licenses, children's information, and account credentials.

[121] OMB M-17-12, pg. 28; VII F.

[122] OMB M-17-12, pgs. 28-29; VII F.

[123] OMB M-17-12, pg. 29; VII F.

[124] OMB M-17-12, pg. 29; VII.G.

[125] OMB M-17-12, pg. 29; VII.G.

[126] OMB M-17-12, pg. 29; VII.G.

[127] As defined in Section 2.7.1 “Source of the Notification,” the “Notifying Official” is the HHS Secretary or a senior-level individual he or she may designate; in cases where a breach involves an HHS OpDiv, an OpDiv head or a designee must be the Notifying Official.

[128] OMB M-17-12, pg. 29; VII.G.

[129] OMB M-17-12, pg. 29; VII.G.

[130] OMB M-17-12, pgs. 29-30; VII.G.

[131] OMB M-17-12, pg. 30; VII G.

[132] OMB M-17-12, pg. 30; VII.G.1.

[133] As applicable, OpDivs may designate a Notifying Official in an OpDiv-specific breach response plan.  The OpDiv heads may also designate a Notifying Official for specific breaches where notification is necessary. Designations must be approved by the Breach Response Team.

[134] OMB M-17-12, pg. 31; VII.G.2.

[135] OMB M-17-12, pg. 31; VII.G.2.

[136] OMB M-17-12, pg. 31; VII.G.2.

[137] OMB M-17-12, pg. 31; VII.G.2.

[138] OMB M-17-12, pg. 31; VII.G.3.

[139] OMB M-17-12, pg. 31; VII.G.3.

[140] OMB M-17-12, pg. 31; VII.G.3.

[141] OMB M-17-12, pgs. 31-32; VII.G.3.

[142] OMB M-17-12, pg. 32; VII.G.3.

[143] OMB M-17-12, pg. 32; VII.G.3.

[144] OMB M-17-12, pg. 32; VII G.

[145] OMB M-17-12, pg. 32; VII G.

[146] OMB M-17-12, pg. 33; VII G.

[147] OMB M-17-12, pg. 33; VII G.

[148] OMB M-17-12, pg. 33; VII G.

[149] OMB M-17-12, pg. 33; VII.G.5.

[150] OMB M-17-12, pg. 34; VII.G.5.

[151] OMB M-17-12, pg. 16; VII A.

[152] OMB M-17-12, pg. 27; VII F.

[153] OMB M-17-12, pg. 29; VII G.

[154] OMB M-17-12, pg. 30; VII G.

[155] OMB M-17-12, pg. 15; VII.

[156] OMB M-17-12, pg. 16; VII.

[157] OMB M-17-12, pg. 16; VII A.

[158] OMB M-17-12, pg. 17; VII A.

[159] OMB M-17-12, pg. 20; VII D.

[160] OMB M-17-12, pg. 19; VII D.

[161] OMB M-17-12, pg. 17; VII A.

[162] OMB M-17-12, pg. 20; VII D.

[163] OMB M-17-12, pg. 29; VII G.

[164] OMB M-17-12, pg. 17; VII A.

[165] OMB M-17-12, pg. 17; VII A.

[166] OMB M-17-12, pg. 24; VII E.

[167] OMB M-17-12, pg. 19; VII D.

[168] OMB M-17-12, pg. 16; VII.

[169] OMB M-17-12, pg. 30; VII G.

[170] For the purposes of this document, references to OpDivs also include StaffDivs.  The privacy program of the Office of the Secretary (OS) provides privacy support for HHS StaffDivs, including executing the requirements of this Plan.

[171] OMB M-17-12, pg. 30; VII G.

[172] OMB M-17-12, pg. 20; VII D.

[173] OMB M-17-12, pgs. 20-27.

[174] OMB M-17-12, pgs. 27-29.

[175] OMB M-17-12, pgs. 29-34.

[176] Breach Response Stakeholders include, but are not limited to, OpDiv Senior Officials for Privacy (SOPs), OpDiv privacy staff, OpDiv security staff, OpDiv system owners, and OpDiv program managers.

[177] OMB M-17-12, pg. 18; VII B.

[178] OMB M-17-12, pg. 17; VII A.

[179] OMB M-17-12, pg. 19; VII D.

[180] OMB M-17-12, pgs. 20-27.

[181] OMB M-17-12, pgs. 27-29.

[182] As defined in Section 2.7.1 “Source of the Notification,” the “Notifying Official” is the HHS Secretary or a senior-level individual he or she may designate; in cases where a breach involves an HHS OpDiv, an OpDiv head or a designee must be the Notifying Official. With the approval of the HHS Breach Response Team, OpDiv heads may designate a senior official as the Notifying Official.

[183] OMB M-17-12, pg. 17; VII A.

[184] OMB M-17-12, pg. 17; VII A.

[185] OMB M-17-12, pg. 17; VII A.

* All examples of guidance in this section were adapted from those in OMB M-17-12.

+ All examples of services in this section were adapted from those in OMB M-17-12.

* Glossary terms in this section were adapted from those in OMB M-17-12.

·       

 

Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed on June 17, 2020